Malware Analysis Report

2024-12-07 20:37

Sample ID 240214-jkbqjada71
Target 9b24f78266073aed6e00462cb31756e2
SHA256 f8c4d7333771ba91143b8122fe3b8a20b624efc6f2ed9a9899bde7d025518433
Tags
cybergate vítima persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8c4d7333771ba91143b8122fe3b8a20b624efc6f2ed9a9899bde7d025518433

Threat Level: Known bad

The file 9b24f78266073aed6e00462cb31756e2 was found to be: Known bad.

Malicious Activity Summary

cybergate vítima persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

Uses the VBS compiler for execution

UPX packed file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-14 07:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-14 07:43

Reported

2024-02-14 07:45

Platform

win7-20231215-en

Max time kernel

150s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost\\Svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost\\Svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Svchost\\Svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Svchost\\Svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V} C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V}\StubPath = "C:\\Windows\\system32\\Svchost\\Svchost.exe Restart" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V} C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost\\Svchost.exe Restart" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Svchost\\Svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost\\Svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost\\Svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "C:\\Users\\Admin\\AppData\\Roaming\\zkHrWvUYWU.exe" C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Svchost\\Svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Svchost\Svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Windows\SysWOW64\Svchost\Svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Svchost\Svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Svchost\Svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe
PID 760 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe
PID 760 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe
PID 760 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe

"C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe

"C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe

"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"

C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe

"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"

C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe

"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/760-0-0x00000000746B0000-0x0000000074C5B000-memory.dmp

memory/760-1-0x00000000746B0000-0x0000000074C5B000-memory.dmp

memory/760-2-0x0000000000C10000-0x0000000000C50000-memory.dmp

memory/2472-4-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2472-5-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2472-7-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Roaming\zkHrWvUYWU.exe

MD5 9b24f78266073aed6e00462cb31756e2
SHA1 603e0d50a9b9464a0a7d70dd0bfb06191918ea6e
SHA256 f8c4d7333771ba91143b8122fe3b8a20b624efc6f2ed9a9899bde7d025518433
SHA512 3fe6b0af07cd3b4661c3d84003c5b6d644727ad2826e273875f9f01aad4bb8bfc7eef7f02087c0dd5aa5d5c64797721dabfddae6ce6bedb83969fc64c6c845fe

memory/2380-8-0x0000000000450000-0x0000000000490000-memory.dmp

memory/2380-12-0x00000000746B0000-0x0000000074C5B000-memory.dmp

memory/2380-6-0x00000000746B0000-0x0000000074C5B000-memory.dmp

memory/2472-14-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2812-16-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1420-20-0x0000000002A80000-0x0000000002A81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 99b04139111d2fc9dcc16c305a8d24f6
SHA1 f614f51a909b50209ef0fc951d08508dddba9810
SHA256 330ab3717383ad74061e332123801658d4ea2617bd273c72ba4477067091140f
SHA512 603788b6690364b3c6edc249e1c4feeb13bd43ed708cd051025a683b7f57c8fe27fb432ea96b5016487ede5619be4df74f305362f63dce2c84da5d82ba625989

C:\Windows\SysWOW64\Svchost\Svchost.exe

MD5 073a630dc06d0fe9b2d7897575afbdd3
SHA1 9b8328d127d60ee709737b8ab3a46feb7babfef6
SHA256 f5cae2027e763ab246ad3d51562e13dbc973a4e43af079d1bbf8b037819a4620
SHA512 bca2b46db33b1df567bf2f6d43dd8598446636f923eacf63f5afa12f522c6be7b00acc8892cdffb82e701de95dac8b203beb14376f0687dbc8809104e226f6c3

memory/2608-558-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2764-560-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/760-572-0x00000000746B0000-0x0000000074C5B000-memory.dmp

memory/760-592-0x0000000000C10000-0x0000000000C50000-memory.dmp

memory/2380-596-0x00000000746B0000-0x0000000074C5B000-memory.dmp

memory/2380-599-0x00000000746B0000-0x0000000074C5B000-memory.dmp

memory/2380-602-0x0000000000450000-0x0000000000490000-memory.dmp

memory/2472-605-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2812-613-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2764-867-0x0000000024010000-0x0000000024072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 315d39b043e0de9c9f0dc2a888769f2a
SHA1 8ee8ff66b10253605d008dfc530192dde61e451e
SHA256 3ad89177b817bda5ba831e6c4db6cc6633852e78e5c4c3875d80b6d4d12a3a74
SHA512 953e14cc8a6486b5e53c2a6cbf45fbd3e2ba3484496c910462b40e7c714cf4144f4a395534c4cd2c8b7af2279bba8363c97122afbdde1a47e03cb47391cf1a6e

C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe

MD5 34aa912defa18c2c129f1e09d75c1d7e
SHA1 9c3046324657505a30ecd9b1fdb46c05bde7d470
SHA256 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512 d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe

MD5 736a394343d535f59d78ad66ff1e542e
SHA1 23d2aca9f6d808b2445b7073a97f27ad9a0c189d
SHA256 6b5a675cdae7d8b5d9e7555ea7997e002f5216b4ac0e13c4832d08a6dd20173b
SHA512 b4a54f52cdceb4199eeaf2800d9b9de4831adb24a3b48bdd451a1cbb3aea2e2041fe50940e25f9fe80333e7afc938fbada1102aa317c15964ec1fc181dfd6214

\Users\Admin\AppData\Roaming\Svchost\Svchost.exe

MD5 ab584f115783a06aa52e122700406261
SHA1 5d672dea951f0c8bda3bcbffe4e81210942b86da
SHA256 c0ba5fd35a47da3e3fdfce77fe40a65aa7381885560a9307ebb10db89494258b
SHA512 4e900baf2dfbcf07609673247c8cc479af95db6aa80f7a8eb0104370ba2099f9f1271b34bbcdf0831e45a30a0ccb5be2996674a2c9f563170d8486f65aa1356f

memory/2764-1132-0x0000000024010000-0x0000000024072000-memory.dmp

memory/2812-1180-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2164-1179-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8cb348db986b923947617c75fa5802e4
SHA1 bda71e8973746862075a7e20ffe705169963f5c4
SHA256 5bf2bd4afcc559b7e7eebec79a0087d2e9075fd31ba345bf6669b6e7318e65d2
SHA512 c36dc4924e6c4f6c00cfaa9925fc1f09eb646b54be207c8163178f92bee5418efdc5a398d9d7a4c326d489492df9737e3ccb889bd8aa652ff4422bb0b0cad88a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 86acd99946c52e0a6101c6ed81d53645
SHA1 1d77369bcb7d47b6ebf0c2909f5cda6f6e141fd5
SHA256 6c7137e1439fd3e7c00f7f8e69e08d695eea8268be7fa811b353f5e197dd81a9
SHA512 afa9d3c50e9e8dc56bd35984fbd8859005cfa4bb697290308cc0cc5f997336b8af3120331a4454b5496a176ba292dbb1302b2cf8bc243c6999c980004bf73e26

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0fade3619feca1747bae8aff86dd10fe
SHA1 17fb5312697c0e55562633a8f0278036e184b56b
SHA256 bed6d6ba229c49eaeec78be0bec0b1da22ed9a1d4480a2c465714be47d3f722a
SHA512 c487961f05b2214386eed61d87bbec04e760eac36a9aefb713e2169a1ff13262eb3289918b2b627cf70dd5c7674a22a3148462d1bd14b8bc299d86371c57ab0f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3a224e10d42ac6321245691f02269ebf
SHA1 d85374afd2237b833492de41b63e608942ca604d
SHA256 8d8d9691c0f720f8a1e8e0241d013865877fde0948b1e17884be23bf678876ba
SHA512 223d9910310753870585ae03da39f27a9c03e915a1f5f919cc8032f08525e2e941b0c129b2de1a05307331fbe84deccfeb8a790ddb157bc349e77c2b084899fc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 12adbf7b757559d04a6deae97d812997
SHA1 6b94fce1aa0697ed052fb85081d184f53b306f9f
SHA256 0498784446e65d9c7bf5a02cf6fafe4e0fb295189ef957e40eb7cd9d2199b4a7
SHA512 8aed12f73c25418225b49429db4f22dc8713942006216b6870c1dcda1c6954ad2c5b33205e4d8572601eefb73bbe8655e7e9f8c077aebbd2b284e3daa75778ac

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8b09fa6756c0df5c57ff1df7cd3dba1f
SHA1 a31db241f3eb37aefaf3918970530aa09e594e43
SHA256 5fa70089d37e1cdc183578cf92e59f88c0a26bfdf038c8e6ff013a237d75f75d
SHA512 a24250a52ce5186bd60bdaa49e237fb8b08f283f6923a3c1d958556404e0fab34887629d5e67fcad263d19aebb6b3a6c6229f15507b4bd5d87be36f9722ccdad

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5eb513446e7a1dff22fdc465f5671990
SHA1 c20982d9392db1ddbc73bcfab926d62758135a0c
SHA256 1bd9a36e0840a84d8517aa0a2dd2b91c414cce3835c8d45715905566f9087937
SHA512 ba288f0482cbdb615eb1bd853a2a63398c6cdbe0388fc068388a1a6287489dc09d48c4257baaee2b79f33874b91a20c420c6e3fe48988821d3792222f79b68c1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c503903bfc48b16a339d85acafb0d8ff
SHA1 06fdf2e33198ec61aa7cde30bb637c239fc1eda4
SHA256 67264541e8b16db94667d2c749208f7fba1bb9ae79bf6ba1f9dbcc052c9b1d8c
SHA512 35a108e97eb00bdb1cd5fa4b5adbb4143f0338183591f67a30af92004c6c18f52e78297ef519b4191d92c2b997e26c0b3c69d50c549d112dd90310c5d991b5f5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3bda9513ff0557eec6b8d7f48bc054a7
SHA1 10de258b9d3571089cb3335771fd532e04bf1eb4
SHA256 b3373658e8065a874c9997df029ca65e97424c34d92278cd54b9a5392b2fa17a
SHA512 22883d39cd85735f7305ab1d143c70a3ffb952b8469fd2d505ce29dc468d2df4658e0375e82618fffb0ca27f797b88cec31b121cc6617245a02444b79f81a9bd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1349678eb5e1d977e83aa564dd69f853
SHA1 386360b76a638cf17116fb044669d1f9ef2ecfe0
SHA256 bf5275c18977ec134bf4e52f3072857a77674de079ec6a4ce6c877dea9adafb5
SHA512 9a373acd71eafa03a61eeadd5695f6d6b737c2a2e559d2a28690a9042e91970d5136a775765022d8ee186ff211e85be185d6f4dc9300df643b34a9d044233571

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b00f78265305c038907e58a65d246b73
SHA1 66976cb4d73e61e378b6776c82e3fa3724715e73
SHA256 985c982f3dc97e164a46d93585c8689821d98250712dc7cf05968043f97c165f
SHA512 5d27b51c2c749fb0bad683368a9b8fe5e7ff67133bb7dfe41852bf82d60d5ecded7802f9f214d63a6f44f9a9e005c2ca7865023d4ec9b2d64afd93ff1cd8a593

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 454fbf811dc58fc7539130848ba29b14
SHA1 70fc239635e8eacb216540047c880d5fba786d9c
SHA256 b9a33f44c79728a67c086d2f55db63fcece7a38e4cb81d20ab7e67940ab9dad2
SHA512 fe375ddb963ca2d5d43cc180c2497db376be50592ae3d6bf6119dc0a04122231531091f4e430d9e89d8d8524ed9014ab343440848def3abeb676d41eebab1796

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e15f9587bbb8be3b9b6f980be4e06794
SHA1 366a64d1fb2e16ed58c23801f3747ebc813888ef
SHA256 31bb92aa1d6017b2f086a1d43b7b7d696835d3e3f886f08b06033dbe26ba168a
SHA512 51949c320c2922e83ab3a3f5ad2953c53eed1623e8c11bdadb8f25c6a57f515e3cbf36cda440f803c76ae4c613b3b3fd061568cb41e3b6f1891b1fa8c3d228b3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 034764994b6d749605ca23a14a32d6eb
SHA1 dbc13a142cd3034c62d742dd3b679329ef19ba3d
SHA256 7c6b747a01dfa98df727095298670d1ed1eab551307cc6abd436a670d033796b
SHA512 0674049278cbcec6e0a84fc0c39e2e2fc39f8eb6898d0b912f2bb37b52bd33446076133beb61e2e5fbaa98ccf8fa4d195c7a3aeac846d54db9f30ec28901a389

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0345d3a046c061e6199b55c87bccbfc8
SHA1 8a34a8ecacbeeb6a4eacb3c7d519919b66e33c26
SHA256 429897ceffa282db7ee2816b0ee70e48f35ed37039035a495efc833bad5697d5
SHA512 07928b523ca0a319614937af04eb4abf633892bf5c9f58f57d13eb3491b959203ee43ea43db303b16902b619ad4db55d91e9a3efd46964e43c6a9dbd1d0aa663

memory/2164-1916-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5df4217a6be4ff1bf00360384c0ce31d
SHA1 5a94f1b3620c37528e2776a0b77a88e5c010d043
SHA256 cba1a0cd7ce99f033a3391e41409d3c205a9aba4f7b40033bdd90ee7eecd46c1
SHA512 b3e384402e3336e14a07ebe65ffe74d39d12b24eaf57d679a8c076f69e4df702e541c29f8cb10ae33c9295fb372891e9b812dde1fc868a926f4c86bc4c873bc6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e5d7319128dec875e7fb42b85b1c11c1
SHA1 277f7f16db53370ab80828e904d20c01d4350fab
SHA256 f0249ffd8a06e08235861122053fb1c63915d5518f8a0bf7cc47e36158b28538
SHA512 e603b086b53da177334e58bacb0cf8a8ebda91f890b6455d0be8a976dc7aacc4fad80e96cea55529655da1c55ba8e5b9dcfa795974caa8ab04a918b663728448

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e17e368202d20b77b278f440804dab4f
SHA1 c5ec5d3812f2c23db7c612d37cf37be2d0417889
SHA256 b004a82fc745d253e76a73f8a3366b13c4f72f4b994a9abb200d8711796b472a
SHA512 048847549d88fc229e9ecffa1fb9d06071ca0bfbdfe3fbfc243a1970af4548310263283e707b96813bcfee3900224a794ecb9f5d601fc9fa17508a6a2c5307fc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c73030159e06b12d41a7ffc71efbc861
SHA1 3cdf8eb17392e6a76f0786100e014b496428de18
SHA256 9566a7fd415ea6469aa2e294b62924cc56cd69d1c113b7a2c518262c0728c3aa
SHA512 f80eec40fe4aeeab8b630e5982dcc730863f9a8dc6ccc66a8e277f88d160f82e1ec97fa6765323bd4bf74e1c9dbe8bd6997345f87d982cf0b0610ba547f9c8f4

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-14 07:43

Reported

2024-02-14 07:45

Platform

win10v2004-20231215-en

Max time kernel

155s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Svchost\\Svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Svchost\\Svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V}\StubPath = "C:\\Windows\\system32\\Svchost\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V} C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V}\StubPath = "C:\\Windows\\system32\\Svchost\\Svchost.exe Restart" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V} C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5W635MC-76M6-FLUM-0BL4-623A554WR36V}\StubPath = "C:\\Windows\\system32\\Svchost\\Svchost.exe Restart" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Svchost\Svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "C:\\Users\\Admin\\AppData\\Roaming\\zkHrWvUYWU.exe" C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Svchost\\Svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Svchost\\Svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Svchost\Svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Svchost\Svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Svchost\Svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Windows\SysWOW64\Svchost\Svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Svchost\Svchost.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\Svchost\ C:\Windows\SysWOW64\explorer.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 816 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe

"C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe

"C:\Users\Admin\AppData\Local\Temp\9b24f78266073aed6e00462cb31756e2.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1392 -ip 1392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1012 -ip 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 984

C:\Windows\SysWOW64\Svchost\Svchost.exe

"C:\Windows\system32\Svchost\Svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1012 -ip 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1392 -ip 1392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 992

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3312-0-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/3312-1-0x0000000001600000-0x0000000001610000-memory.dmp

memory/3312-2-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/816-4-0x0000000000400000-0x000000000044E000-memory.dmp

memory/816-5-0x0000000000400000-0x000000000044E000-memory.dmp

memory/816-6-0x0000000000400000-0x000000000044E000-memory.dmp

memory/816-7-0x0000000000400000-0x000000000044E000-memory.dmp

memory/816-11-0x0000000024010000-0x0000000024072000-memory.dmp

memory/2036-16-0x0000000000900000-0x0000000000901000-memory.dmp

memory/2036-15-0x0000000000840000-0x0000000000841000-memory.dmp

C:\Users\Admin\AppData\Roaming\zkHrWvUYWU.exe

MD5 9b24f78266073aed6e00462cb31756e2
SHA1 603e0d50a9b9464a0a7d70dd0bfb06191918ea6e
SHA256 f8c4d7333771ba91143b8122fe3b8a20b624efc6f2ed9a9899bde7d025518433
SHA512 3fe6b0af07cd3b4661c3d84003c5b6d644727ad2826e273875f9f01aad4bb8bfc7eef7f02087c0dd5aa5d5c64797721dabfddae6ce6bedb83969fc64c6c845fe

memory/2276-18-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/2276-24-0x00000000012E0000-0x00000000012F0000-memory.dmp

memory/2276-29-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/3720-30-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3312-48-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/3312-86-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2036-87-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 1ef6cae3f52a3803b36ca70da09bee3d
SHA1 4545b14691be5e189f9436a45d4ddd9dd7fa3609
SHA256 41c2b2fc8b65d8f67ac2174e31a7052b1657e5bf2ef16ef041d9d6d27cb4a608
SHA512 fd69aff563f36a2b073ccd41a09fc848a1c01a004ed2fdc626a348fafc6ab84e68c8679607e315e390337295c924dbe80e027c1bb7ea0e3b8ba7666b7e3fcf70

C:\Windows\SysWOW64\Svchost\Svchost.exe

MD5 d881de17aa8f2e2c08cbb7b265f928f9
SHA1 08936aebc87decf0af6e8eada191062b5e65ac2a
SHA256 b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA512 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

memory/816-115-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2276-118-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/2276-121-0x00000000012E0000-0x00000000012F0000-memory.dmp

memory/3720-123-0x0000000000400000-0x000000000044E000-memory.dmp

memory/5056-169-0x0000000024010000-0x0000000024072000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/2036-201-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/5056-218-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1392-285-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/816-287-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1012-323-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/3720-324-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1392-361-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/1012-360-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 57de41ca5f2125afbb328cff26d62f76
SHA1 fd1c1f089e645af24426c980adf029a6a574433f
SHA256 85c3bb6023a714d21e6566bf953bf8443a569d06ba1238bf21731dab034ae074
SHA512 7a85269db72fba20ad99adfd49c005f08ffddb12ab83f4cd643e71c2165d6427010995345a58cf50f332a317c2e073f68ee32a49621e27922964f6a0b0fcc0b9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1028ba3f7e0ec560dbf7b0bfa1b058c2
SHA1 8431ca194d2e68000700754d18402cb71b134bc1
SHA256 b99eb7240b5f760395de61e6bfe9a09bc6640b780da954068b540ebdf964945a
SHA512 20ce8f67475d558aaf245573d41230d08a20dde2346e3cdceda7ad044fa2b0fd4f9925afb4045535a136d9a65247a9431d31a227e018164aa1cbc3568e046f0f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3c04714c99c44f5d68424afc3fb72b6a
SHA1 534b283ab9d699a8d8279d2f95b4be40b31d0c85
SHA256 bc5015d6c6936c58ec03195f8363a55e7e3213b2447527c0343077b2091f40bc
SHA512 da982931dfb42e11dc033ea3dfe235999028b6e1e2a5ed0313a88286dc65f15132a757f09da3d3b16da27932451284ccec0bb1af965b213d68d3ebdedb635967

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 86802809ad40cc138137f9e40eea747f
SHA1 00be3a99db226250cac003c09834904a2c3a425c
SHA256 e16d7bb319851925827deb672e9c7a284a7ae506e20a29021327cbfc7d826772
SHA512 d2e569880f02e82c9b68f1d4b0c296c5f7c4779cb06f1d494e3675145ec6e3097cde321a146a8c0b2575b0a3d7df26f8f51a6f3ba9d909fa5cedd923bb18f80e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 90dc71465cc2d9453e789de22bcf08a4
SHA1 c4b0dab9a7683fe1d6e4f1c7c3f2a9ee4e76df7e
SHA256 bdd3493cb23e7d0be96868476b94ade998680f428be02472a33ff95c6513e719
SHA512 5130d4a87cfa9416ef63fabd0bb177eb902f43b5fd824cc8cabe2cf3f914063c83b891b00f054aef136caaff68b49545dedf4a55c0420fed80a0b949cad070c3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 03f15982c3fd3c26e2530a2dc7e185d1
SHA1 0356c8e5761d5c908f52a0e7dc1206fd2ad257f1
SHA256 e557cef7ac40e8cea815b89186390f834bbf974455383250246edf706f2037b5
SHA512 bf99f494c26a7394eeae39f54c8350c93cc14793d32fe6c48dbc2e967c4f177c5abd8075fbf6114ee02bc8c45682a3e615e6c486380d7e1b498ff90d427a574c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9291f27d4086348d95552218419f70ec
SHA1 43d7af63c04919b01be6ee7493a2771430495b41
SHA256 f623d4b56bd7674122c6638ee180ac8856f20343ed59cf2fedcfccae674b94a4
SHA512 7bbc19e21fffc1ec49edd28b73db608973333d69310cecd3aab472164f054d92ddda3603650f05806fd45659ea8c1de1644f916c401ddfd861211db47b69734a