Malware Analysis Report

2025-08-10 17:50

Sample ID 221021-hzr6dsghcn
Target 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
Tags
cybergate domdom2121 persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300

Threat Level: Known bad

The file 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 was found to be: Known bad.

Malicious Activity Summary

cybergate domdom2121 persistence stealer trojan upx

CyberGate, Rebhip

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-21 07:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-21 07:10

Reported

2022-10-21 16:07

Platform

win7-20220901-en

Max time kernel

166s

Max time network

182s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\server = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\server.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1684 set thread context of 336 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1700 set thread context of 1532 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1760 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1760 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1760 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1760 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1760 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1760 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1928 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1928 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1928 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1928 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1928 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1928 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1928 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1684 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1684 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1684 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1684 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1684 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1684 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1684 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1684 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1684 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1684 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 1684 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 336 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe

"C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7109605.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "server" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\server.exe" /f

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"

Network

Country Destination Domain Proto
TR 95.6.97.198:2121 tcp
TR 176.240.164.204:2121 tcp
TR 95.6.97.198:2121 tcp
TR 176.240.164.204:2121 tcp

Files

memory/1928-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

memory/1928-57-0x0000000000400000-0x0000000000547000-memory.dmp

memory/1928-58-0x0000000000A60000-0x0000000000BA7000-memory.dmp

memory/1760-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7109605.bat

MD5 30427ea9b824990e669b8a383ad42b73
SHA1 9550aa03263d08a15cb8789c80043686712ac68b
SHA256 c7addd0e470d90071c05c5e80ed6ca7bf8a968636b3b732bb735d90ceffdd2f4
SHA512 475eb9b535fcc5eb26c1483a4ed0784af509bb195feaf9ceffab3ba6e7ba853590ebd25bd419c7e9846aeba9135f11d3996fef2b2db3e50a5a4f72070acd0d52

memory/620-62-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/1684-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/1928-75-0x0000000000400000-0x0000000000547000-memory.dmp

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/1684-78-0x0000000000940000-0x0000000000A87000-memory.dmp

memory/1684-79-0x0000000000400000-0x0000000000547000-memory.dmp

memory/1684-80-0x0000000000940000-0x0000000000A87000-memory.dmp

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/336-82-0x0000000000400000-0x0000000000455000-memory.dmp

memory/336-83-0x0000000000400000-0x0000000000455000-memory.dmp

memory/336-85-0x0000000000400000-0x0000000000455000-memory.dmp

memory/336-86-0x0000000000400000-0x0000000000455000-memory.dmp

memory/336-87-0x0000000000453810-mapping.dmp

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/1684-90-0x0000000000400000-0x0000000000547000-memory.dmp

memory/336-92-0x0000000000400000-0x0000000000455000-memory.dmp

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/336-97-0x0000000000400000-0x0000000000455000-memory.dmp

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/336-98-0x0000000000400000-0x0000000000455000-memory.dmp

memory/336-99-0x0000000000460000-0x00000000005A7000-memory.dmp

memory/336-100-0x0000000000460000-0x00000000005A7000-memory.dmp

memory/336-101-0x0000000000460000-0x00000000005A7000-memory.dmp

memory/336-102-0x0000000000400000-0x0000000000455000-memory.dmp

memory/336-104-0x0000000024010000-0x0000000024070000-memory.dmp

memory/1400-107-0x0000000024010000-0x0000000024070000-memory.dmp

memory/1292-110-0x0000000000000000-mapping.dmp

memory/1292-112-0x0000000074A31000-0x0000000074A33000-memory.dmp

memory/336-113-0x0000000024070000-0x00000000240D0000-memory.dmp

memory/1292-118-0x0000000024070000-0x00000000240D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 78ec5e9296040c4cecc14210cb2bcd13
SHA1 8183bcfab475fb5f35f9be4e8d7335ed57da7f6e
SHA256 8daf3aefd73885fe84d746a7f672e3032bf8f6fb01e5951d9c7c16e2251feddf
SHA512 3fd22d2745b7583c42b9abbae5e86d037b9161ff5410b7e78a655dfede7dc8ab9a617085ee4ddb06253fec77a41bd6d1e19cea6c29c3b3f05e7c1a13e5ec212e

memory/1292-120-0x0000000024070000-0x00000000240D0000-memory.dmp

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/1312-123-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/336-129-0x00000000240D0000-0x0000000024130000-memory.dmp

memory/336-135-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1312-134-0x00000000240D0000-0x0000000024130000-memory.dmp

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/1700-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/1312-143-0x0000000005150000-0x0000000005297000-memory.dmp

memory/1700-144-0x0000000000400000-0x0000000000547000-memory.dmp

memory/1700-145-0x0000000000AB0000-0x0000000000BF7000-memory.dmp

memory/1312-147-0x0000000000400000-0x0000000000547000-memory.dmp

memory/1312-149-0x00000000240D0000-0x0000000024130000-memory.dmp

memory/1700-150-0x0000000000AB0000-0x0000000000BF7000-memory.dmp

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4063495947-34355257-727531523-1000\699c4b9cdebca7aaea5193cae8a50098_8e28fefd-2db0-4dd4-85d7-665f2cf2c74b

MD5 5b63d4dd8c04c88c0e30e494ec6a609a
SHA1 884d5a8bdc25fe794dc22ef9518009dcf0069d09
SHA256 4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd
SHA512 15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

memory/1532-158-0x0000000000453810-mapping.dmp

memory/1700-161-0x0000000000400000-0x0000000000547000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/1532-163-0x0000000000400000-0x0000000000455000-memory.dmp

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/1532-168-0x0000000000400000-0x0000000000455000-memory.dmp

\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/1532-169-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1532-170-0x0000000000460000-0x00000000005A7000-memory.dmp

memory/1532-171-0x0000000000460000-0x00000000005A7000-memory.dmp

memory/1532-172-0x0000000000460000-0x00000000005A7000-memory.dmp

memory/1532-173-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1312-174-0x0000000005150000-0x0000000005297000-memory.dmp

memory/1312-175-0x00000000240D0000-0x0000000024130000-memory.dmp

memory/1532-176-0x0000000000400000-0x0000000000455000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-21 07:10

Reported

2022-10-21 16:07

Platform

win10v2004-20220812-en

Max time kernel

165s

Max time network

184s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\server = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\server.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 644 set thread context of 4972 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 4276 set thread context of 2220 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4916 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Windows\SysWOW64\cmd.exe
PID 3276 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3276 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3276 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4916 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 4916 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 4916 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 644 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 644 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 644 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 644 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 644 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 644 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 644 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 644 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Users\Admin\AppData\Roaming\FolderName\server.exe
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE
PID 4972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\FolderName\server.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe

"C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240599187.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "server" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\server.exe" /f

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"

Network

Country Destination Domain Proto
US 52.109.8.45:443 tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
IE 13.69.239.73:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
TR 95.6.97.198:2121 tcp
TR 176.240.164.204:2121 tcp
TR 95.6.97.198:2121 tcp
TR 176.240.164.204:2121 tcp
TR 95.6.97.198:2121 tcp

Files

memory/4916-132-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4916-135-0x0000000000400000-0x0000000000547000-memory.dmp

memory/3276-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\240599187.bat

MD5 30427ea9b824990e669b8a383ad42b73
SHA1 9550aa03263d08a15cb8789c80043686712ac68b
SHA256 c7addd0e470d90071c05c5e80ed6ca7bf8a968636b3b732bb735d90ceffdd2f4
SHA512 475eb9b535fcc5eb26c1483a4ed0784af509bb195feaf9ceffab3ba6e7ba853590ebd25bd419c7e9846aeba9135f11d3996fef2b2db3e50a5a4f72070acd0d52

memory/2004-138-0x0000000000000000-mapping.dmp

memory/644-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/644-142-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4916-143-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4972-146-0x0000000000000000-mapping.dmp

memory/4972-147-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/4972-150-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4972-152-0x0000000000400000-0x0000000000455000-memory.dmp

memory/644-151-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4972-153-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4972-155-0x0000000024010000-0x0000000024070000-memory.dmp

memory/3892-159-0x0000000000000000-mapping.dmp

memory/4972-160-0x0000000024070000-0x00000000240D0000-memory.dmp

memory/3892-163-0x0000000024070000-0x00000000240D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 78ec5e9296040c4cecc14210cb2bcd13
SHA1 8183bcfab475fb5f35f9be4e8d7335ed57da7f6e
SHA256 8daf3aefd73885fe84d746a7f672e3032bf8f6fb01e5951d9c7c16e2251feddf
SHA512 3fd22d2745b7583c42b9abbae5e86d037b9161ff5410b7e78a655dfede7dc8ab9a617085ee4ddb06253fec77a41bd6d1e19cea6c29c3b3f05e7c1a13e5ec212e

memory/3892-165-0x0000000024070000-0x00000000240D0000-memory.dmp

memory/1944-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/4972-169-0x00000000240D0000-0x0000000024130000-memory.dmp

memory/1944-172-0x00000000240D0000-0x0000000024130000-memory.dmp

memory/4972-173-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1944-174-0x0000000000400000-0x0000000000547000-memory.dmp

memory/1944-175-0x00000000240D0000-0x0000000024130000-memory.dmp

memory/4276-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/4276-180-0x0000000000400000-0x0000000000547000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2891029575-1462575-1165213807-1000\699c4b9cdebca7aaea5193cae8a50098_9be0bf4d-f8db-4af4-be85-dc38433c9501

MD5 5b63d4dd8c04c88c0e30e494ec6a609a
SHA1 884d5a8bdc25fe794dc22ef9518009dcf0069d09
SHA256 4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd
SHA512 15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

memory/2220-182-0x0000000000000000-mapping.dmp

memory/2220-186-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4276-187-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2220-188-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderName\server.exe

MD5 531590abb6298342e1ea7f7cf582f560
SHA1 3211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA256 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA512 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151

memory/2220-189-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1944-190-0x00000000240D0000-0x0000000024130000-memory.dmp

memory/2220-191-0x0000000000400000-0x0000000000455000-memory.dmp