Malware Analysis Report

2025-03-15 07:45

Sample ID 240215-xt5a4aeh48
Target 9e5751ab98939fa951b6d2b3f35453d8
SHA256 417b715747c60c784f794639966da389b934a21040fead16878f01c8450cf514
Tags
cybergate tentando denovo persistence stealer trojan upx gozi banker isfb
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

417b715747c60c784f794639966da389b934a21040fead16878f01c8450cf514

Threat Level: Known bad

The file 9e5751ab98939fa951b6d2b3f35453d8 was found to be: Known bad.

Malicious Activity Summary

cybergate tentando denovo persistence stealer trojan upx gozi banker isfb

CyberGate, Rebhip

Gozi

Modifies Installed Components in the registry

Adds policy Run key to start application

Loads dropped DLL

UPX packed file

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-15 19:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 19:09

Reported

2024-02-15 19:12

Platform

win7-20231215-en

Max time kernel

159s

Max time network

164s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{K66PWF05-MHP0-QOSK-R422-2TVV5GA56OS5} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{K66PWF05-MHP0-QOSK-R422-2TVV5GA56OS5}\StubPath = "c:\\dir\\install\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{K66PWF05-MHP0-QOSK-R422-2TVV5GA56OS5} C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{K66PWF05-MHP0-QOSK-R422-2TVV5GA56OS5}\StubPath = "c:\\dir\\install\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\dir\install\install\server.exe N/A
N/A N/A C:\dir\install\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2672 set thread context of 3012 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 4964 set thread context of 5000 N/A C:\dir\install\install\server.exe C:\dir\install\install\server.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
N/A N/A C:\dir\install\install\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2672 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2672 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2672 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2672 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2672 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2672 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2672 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2672 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe

"C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe"

C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe

C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe

"C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe"

C:\dir\install\install\server.exe

"C:\dir\install\install\server.exe"

C:\dir\install\install\server.exe

C:\dir\install\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2672-0-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3012-3-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/2672-6-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3012-7-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/3012-8-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/3012-9-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/1292-13-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/1884-2693-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1884-2715-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/1884-6021-0x0000000010470000-0x00000000104CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 a897b8a9cd01dc7e8f5e592c90915f43
SHA1 66f3da2cda8d2e608b59de31692d217569742fc3
SHA256 ac236988db1194de2bebee42f443287dbb60d3be4fb1008d3877a05e40340891
SHA512 7f09ae67701554822c21666847ba130f8b55fb5a0c77be45ccef39c5f94dd804a039035d98176972a2fb8820a52cd355de96a9601b0d583912402229f9005cbd

\??\c:\dir\install\install\server.exe

MD5 9e5751ab98939fa951b6d2b3f35453d8
SHA1 dafdf7384d40ffbe5af79772a389ffe1a407a39a
SHA256 417b715747c60c784f794639966da389b934a21040fead16878f01c8450cf514
SHA512 7267f090ee1b90a50168758481b9dd7b34d19e73d3310ac221e86857d50af6c86e96f9f64252113ebefd743f1beffa30af0e82c787d8e0ec3432a2bcf2f605bd

memory/3012-6031-0x0000000000220000-0x00000000002B5000-memory.dmp

memory/3012-6047-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/3012-9366-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/1412-9367-0x0000000010530000-0x000000001058C000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/1412-9386-0x000000000C460000-0x000000000C4F5000-memory.dmp

memory/1412-9388-0x000000000C460000-0x000000000C4F5000-memory.dmp

memory/1884-9390-0x0000000010470000-0x00000000104CC000-memory.dmp

memory/4964-9392-0x0000000000400000-0x0000000000495000-memory.dmp

memory/4964-9398-0x0000000000400000-0x0000000000495000-memory.dmp

memory/5000-9404-0x0000000000400000-0x00000000004AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f0f8a1305b7bec08c5b5f715fe79f4de
SHA1 12c6dd15da72964902cf029ddc268c437bfd9bb0
SHA256 6ac87acec5a9f7f8293cfd9a637f5646a6be6e8eb03cb6f2ec11b1a650a1802a
SHA512 fa1380f5701cccec0c2636a9594963919bbb6dd74839c3eded16e864ef139b5c9c43dae6a5b41f1db0d75c52e92b62fd9447fde39af42fd9984dfb7dabf7b606

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0bfd3096f283ae5f3ad6e0c6b15f53c8
SHA1 1add9829946f569f690f5dac92b14e880b709197
SHA256 3c064f390e01d08b868358b41dac9f3005d0c3bda16965eb8276f9465820b0d8
SHA512 8b694624d200696ea4854744d1e9df1e11baee6eac9b9a49490faa87d95cb2c21eb6133f0858a0338db89200f42892ea32c1ea809045e11927ccdf9bcaaec0f0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5d1a2a5f7b63ebc91119ea0fc9a920f9
SHA1 b3b178d29df58cb682103baf134600155b2ccbe0
SHA256 96f8c2c28bf8d09cbd72bc857df8f41a036e95687da316d4d8dd194f959cf558
SHA512 d955eda9dc5bd5a3a3758114319627ef8b31aa4f4163669deb44fc49bff80b216e6216bf2fb5747ba4417ac4737305c64f906980720a7dfd7981c97048050bc2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0fb90ed5844d7e0c319f0b7f002477e6
SHA1 bfaefac8e7c9af41a71e1b8449f689fb1fe53680
SHA256 c0baf409fbd428f11f03667f7381f4f880e48e00fbc3f74097977c358d4f409a
SHA512 9c6788bd10cd303596fd902956f5de353baea3c3203ddf52144b57873d4a3d15a1772bb88035d9122a6ff8118a82bfdb5bfc4772825b6c9fd40d3d9633153bab

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 84ebd4a6a47dbb689876b83f911c626c
SHA1 d53a3d1a64503cae37fac7daee497151b7ea1b4e
SHA256 7a0645720efcde193863446055ca83968fd6c4b495b92c6a020cde4b90e6433e
SHA512 9695e5c73d3c6244f7d4bfbaecfa3fdca0b1b00a73ccd3456af92a78a11e3812969cf9ed1eafd4f47c4d66505e7f79965f5a9e40ab6b056a5e3ff0561578893b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0c39a26f0b39f1bd669dbadc783d173a
SHA1 ed6707dfe6cdd844527e49a997f252dcf5596426
SHA256 61f9384d1b0205517701a419b0974b371faf512d7b691b19c55313f9386e02da
SHA512 1273f30b384a04ebcea210c876f7b434fbd653fda8ef6e9f7fd3aff7f954eb244bb0a3e2aea6b882001d06776dfbc89145cdeb1aff1d8a4cea8dd0947305a8fc

memory/1412-9705-0x0000000010530000-0x000000001058C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6282654f55c7719ecab1f25189b8b925
SHA1 dd22c876e34ba93396747f730dc601dee884ee10
SHA256 eef86439c5d67350d64ce9bc8168f6ae93eee0d6eacf2c1c6a62c37729095364
SHA512 c81813d94744abd0b77c29b87b41663172899f91e63c5d13cb386a582513e947d7136019143663e2ec85719e46b43bff5c08f389d8cee68133b24b8dea4b8d1c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8ed2f1eb771735b7ccf0d15d52e96772
SHA1 16f001feaaaa5dd139079a0373b01da37e1737a0
SHA256 e74c708bb48b8b569a13b1e14399b761592cd51af9485995a52c253932853e3d
SHA512 cc9135fa92876ee9575c9f56bfc3c2a6ed5a1f0c08ed6ca8bac243ff219ad97cc707a37ff20a17b6debb16df653165da5fdd6cbc2cf71de3857b771c0e5b6bf1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 89dc51a3b306e35654d05412de836d2a
SHA1 66980990fdfe382716795a87748c64441966350e
SHA256 20b699932f41ac9f08ca237dd6ebacacffb07a567096ba75d219b167660a092a
SHA512 f76127d1b49fa78542624ec993e6db7ff86ea0ded35a3a1a69ede170c617da1f775ca13f853dc1c372bbed3876bb5f25f224329c4645430c735f0cea16bb9ecf

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 63f3c53f947d8bb418a8a45203b0422d
SHA1 0bba645e08dd74af8404492fcf45e2ccbdc4aaea
SHA256 790f75580028612d63456e4da39d04ecb39db5559c0e886f30cb98550bd0cce2
SHA512 33c2731715c3987df44556ff3ca4a03887baccdca40c57ba89fd5467994ca32d236d014dadd36d472e14e27b43672e7a65d00bbf638d9f8b32551a6e839331a9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 367dac518fb9691ef790d6f5243e5910
SHA1 dd5461ddd8106844f71526b7d3a3b41737c6938c
SHA256 f0aa605ac56800aa9751c03f1824b71e06c85d6440446a54a08ad80aeb66eed5
SHA512 3f393d0631b5eeb0e3008b8abbacea9bedc3b9c466f4242d5d40b0449c8a4cf847ff4fc9e7c9c7f3271c4249c9eaaef3701567a9d3fcd799a002b8fdb6422f84

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f0b78dd5fa1edcfe424a20186e60c0e5
SHA1 5599a2f05fbd90ba5366d53e1434d16cfd566cfa
SHA256 ced55b1b8a98899c68ccc8cd419639e664a2974958c021f5438201bd153014a7
SHA512 d26d7c4f531fde853fb9ef8e6b8d5e9b489248866242da987eb02e4051ec5805bd68b2969c3f17210ff9abdeb5baaff946a5c96a65ab177f66f1cd88e2066bb4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 32e45bd62c04fae8a78ee55fc4f6f62c
SHA1 c0d6f0fe9940cd3b88042ba5ef5be523b4f08d20
SHA256 7a3584e076edb200b3f63f380e02c9cf6f5e3185a727afb74045bf2960b0a0bb
SHA512 a69a49b51ceea7c3b3101dd89d913a3a3f3ddb26c0595ddc4cb440a8faa1caf828a7667deb0bee901f2568f9c010f674ca7c4a9c38db327abf5d1506a6d465ed

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7ca901bc32695e03d18d334eddbc75fd
SHA1 aacc5359c888ffd51392ed36aa79b3e0ac9b2a5b
SHA256 f1c3e7ad453faf701505032c8a8b4616aaa08c9e9b489f236464c2414cd5b5cc
SHA512 57d864a2ed2f7e8a3de5bbd8ee2ba0f549462e01e2e46eb80f944564fee867d675abb37ae106a1a545cc67f52a17a525f1a49c3bd68f41f826218c62b483fdf8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1f96faa23b589f582950707128370126
SHA1 283c7f02b00844052df9c33d4ffe800b39064cdc
SHA256 2e9ef55a521e4b5ec2061fdfafeb642c6231700704d6fbd95e8da5da7f2347e4
SHA512 ae038ff4d6660ed83fa705bcc4eba218a34a902f41083943a87943ee804e1f25a1f2851e60a9d2bde18ab6d4b842f3c17ca2cbf4227bc702861319629212eab4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9606faeb639ef3b4d0e491f82a39beff
SHA1 aadc0eda7507e5c6e53ecf71b58fe904e91b0efe
SHA256 e814208e3310ced8978387c238e84b3324c6d539a13fc4e11a3878b74d4c7fa3
SHA512 e5cb1dad9b8447959aaa4a7b7d8201d100e2ef8469de9630609472daff9b6c79a5b8e1978ad11b37934d96c02a032fef578c72ac1dd98c28ee18d3d7aad930e5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0ac6a7171284a25b7c7741be2f62575d
SHA1 2d9c3d3f5d50d64b994bab87ff896a023fd36275
SHA256 052c9ee0c75dacec55d9b6a956f1a7175b22645054d2dd33a60198117b2b640f
SHA512 5381fca9b60becb8b04cf066a6d7229dadbb7f8018a393d142aa7ca7089b728365cadd0fdc1c581431c8a69d4d40be8874e74afb0f8153a6ca4e27f568d5e764

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0cd6bbee7d839c163b3f23081ea477d9
SHA1 db3341d0bfcff96e336cf5f48c6e33adc9fd13be
SHA256 47f1f666c0b84425378b7aa6a7d67296592afdaa20f142c6cf9fd3b2a2e396f3
SHA512 e20e7f391493fc866fc5a5b6103ef1c7975b6fbae6fc41c1bed9827c12e533ad1da57de43da4036360efb7bc8cc7aba9353c860d4c8be0449dcfa442127ffb01

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 19:09

Reported

2024-02-15 19:12

Platform

win10v2004-20231222-en

Max time kernel

147s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Gozi

banker trojan gozi

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K66PWF05-MHP0-QOSK-R422-2TVV5GA56OS5} C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K66PWF05-MHP0-QOSK-R422-2TVV5GA56OS5}\StubPath = "c:\\dir\\install\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K66PWF05-MHP0-QOSK-R422-2TVV5GA56OS5} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K66PWF05-MHP0-QOSK-R422-2TVV5GA56OS5}\StubPath = "c:\\dir\\install\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\dir\install\install\server.exe N/A
N/A N/A C:\dir\install\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2948 set thread context of 3800 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 6496 set thread context of 6532 N/A C:\dir\install\install\server.exe C:\dir\install\install\server.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\dir\install\install\server.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe N/A
N/A N/A C:\dir\install\install\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2948 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2948 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2948 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2948 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2948 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2948 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 2948 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE
PID 3800 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe

"C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe"

C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe

C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe

"C:\Users\Admin\AppData\Local\Temp\9e5751ab98939fa951b6d2b3f35453d8.exe"

C:\dir\install\install\server.exe

"C:\dir\install\install\server.exe"

C:\dir\install\install\server.exe

C:\dir\install\install\server.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6532 -ip 6532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 532

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2948-0-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3800-3-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/3800-5-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/2948-8-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3800-9-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/3800-7-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/3800-13-0x0000000010410000-0x000000001046C000-memory.dmp

memory/1304-20-0x0000000001000000-0x0000000001001000-memory.dmp

memory/1304-21-0x00000000010C0000-0x00000000010C1000-memory.dmp

memory/1304-688-0x0000000010470000-0x00000000104CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 a897b8a9cd01dc7e8f5e592c90915f43
SHA1 66f3da2cda8d2e608b59de31692d217569742fc3
SHA256 ac236988db1194de2bebee42f443287dbb60d3be4fb1008d3877a05e40340891
SHA512 7f09ae67701554822c21666847ba130f8b55fb5a0c77be45ccef39c5f94dd804a039035d98176972a2fb8820a52cd355de96a9601b0d583912402229f9005cbd

\??\c:\dir\install\install\server.exe

MD5 9e5751ab98939fa951b6d2b3f35453d8
SHA1 dafdf7384d40ffbe5af79772a389ffe1a407a39a
SHA256 417b715747c60c784f794639966da389b934a21040fead16878f01c8450cf514
SHA512 7267f090ee1b90a50168758481b9dd7b34d19e73d3310ac221e86857d50af6c86e96f9f64252113ebefd743f1beffa30af0e82c787d8e0ec3432a2bcf2f605bd

memory/4844-710-0x0000000000400000-0x0000000000495000-memory.dmp

memory/4844-1370-0x0000000010530000-0x000000001058C000-memory.dmp

memory/3800-1371-0x0000000000400000-0x00000000004AD000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/6496-1390-0x0000000000400000-0x0000000000495000-memory.dmp

memory/6496-1399-0x0000000000400000-0x0000000000495000-memory.dmp

memory/6532-1403-0x0000000000400000-0x00000000004AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 694b44de43f9a37d0e1f252c62b6591c
SHA1 12ff0b6452c76ba3d64a2e68659d32366e4c7497
SHA256 9c55a31b4e2b71073640f59074eb61311f35bd91d0dae43de51ee2e8661b1760
SHA512 c58a643c7a6f84db41ae5e2b0dc7e7217acbbbf3c22323d91abf7922bbb6f5032e59787325fbe9a688f64538170c157992ffebe173fffdf8c15b3cc948eb41c4

memory/1304-1432-0x0000000010470000-0x00000000104CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 933971974b22dcf137e222c93f5335fc
SHA1 20792461d9d5e871f908e261736714444031d24f
SHA256 fe9adef1c745e2eea59f3b9da5162cc7fa4b45bbf9b8243837bec7c544d46ac1
SHA512 d12c042e16a003fc189c92b6ea1efae3ac66dd6ea280bfaee0776b4061962b21288b4acd7900a120486ffba13551e9d03ca9f6ef6c509c8384d1fd5b98ea5fcc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7b54d8f38e12ab0c2b49306ead0eb380
SHA1 31f657a92e3e7a1dc856c17805903e46813e9faf
SHA256 a12b1e2a428fd99bf054a07b53938377bf9730495ce177ff72e2ae6ad809c5fb
SHA512 14d1fbfaa483f41b40471a8467d8eac097212d6b6994b7f55e5a7fc92f41e5740c5b7279d18fd5c77c8d1dc00ed101ca8a826b2bc90aa84189897691e57bce1d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ad38f1ea747d7217fb21cf9a36d031a4
SHA1 521dc8b31aae64c33f2a4b421e40d142347c5e45
SHA256 d151aebf952515bc5f1d765b875853e858e76d57d4726834716e8962395d2a7f
SHA512 762c2b41549cf1275ec2d83880202e68d60292a7904aea3e5fab45d810768c1199574d03cee755598f6e005f52d79c9774e922f181194fb615074d124c27ce28

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7fda3290cf23d015efe676e1d7b9e9d8
SHA1 aeaa90c7b950f4fe1ffb749631f74805a95c5715
SHA256 1e09fcb30547d9fc0049b3ece0ee0ed6811503d715b5b00d35c71ccf6dfe193b
SHA512 180aee4573e1f9a6bd160cf53f83506e2262b41c19dd8d54d874811629c4372605b1e66658cf68423cd49fd287173da7bcff8fbf28513aa963971256d6d51172

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a8d67d8787a399a288140ebf0efb6598
SHA1 9f2191aa018e1abeefbdd6b6d64f570d4fa5f4f1
SHA256 30264fdb60060acc6e8b03e3243296fc7333a9a53e88eb93472974548af32b51
SHA512 a3a2e62097b7afa76d0914f592f1c493fe4ececa08e828a95ae9699419f25450e8f3535c89cdff3f42ce49452db13639a08be593e4cd5c536a9813d6c49ee310

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 031342c6ae5e5b11d10d5b73df7ba90b
SHA1 1e286b4fd34735e1173fc864b26d6fe331b39388
SHA256 56b9de86080d5a36c715b7c2ac9e948769c0a6970745df94d61869b2b7e18de5
SHA512 60a3ea8434aca3acc1732d6db8abe4d710c79f449659ba4ab4b46add969546f89b8f76ef74a03eee46b52513f631964ebb37a5c8ef972b1642ac5a4f422749f5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 11e38e9f09d90a875826680cb95c2974
SHA1 fb61bd78681a45db3330e1183b9b883c3fdcaf0a
SHA256 bafc1dc10550aa37102269cb027d29e0d21d7f57529c15f7c4cb357c0683f6fa
SHA512 7086b79c6be8a49fe55a5b6d5ea8ce35bedb87406049e2e0d669959d395322010f2a3302d8201d34dda3d9d9644de3fe428570c3af79270479f7600bc8341e68

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 de13e7e43a00884837fde319a7adb3ba
SHA1 0a3984cf7aa89bd22c9796f8537fa831e877bf98
SHA256 f3299e2cf709f7677cd4c9427cfa5a448c07ebe731ed7e33f9b07df8a57fce12
SHA512 23e6ad67231544f78958e0ecce88f1bdcefc37095a1058c0ab0d7729391432f10765f2eb9c2a82dc6dd0852c111737b7fd2d6b6b52c3e7892159ccb0ade72904

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5940b5877adeb1ac0d1871b843b7b2db
SHA1 afb24e0d2b36927e40f82ab6cf9b73e0bf3c8277
SHA256 ddf190a62bf14a90573c128931ac6a95144a0b0ddc19b7bf93f99f5ba43905e3
SHA512 445500783bc74035a442d31026465ebd1baceeee831a1b44cf41172fe83c3eb5b9aafffa3ffdba35a3dbaa257b0a4074a2d8f49d2713e0e7e1b70dcb10630f62

memory/4844-2334-0x0000000010530000-0x000000001058C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7833f6447720e06d6172f80e164c3d6f
SHA1 51d332a888fe683d7bf3994c4b5b64acdc03481d
SHA256 8a76715ad7770ec25408191bed87dba0de1fcc078273ff69ed49bf06b341fad0
SHA512 0e3dcba947b5e40b36beea4064e1637a6523914f145b9593fd37ecbf762dbdbf9aa4c15d5e0ae8925ac3235844a0383121e2370e0535b8eb5cb43d8782207873

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7f89a36873f247cc7392e699c049d6e3
SHA1 a09b460e007f84cbbee77c58b25743f4ff82e65a
SHA256 467fc607b8b55a37b05fd57e236dea9d72bd2d54df0dfce8df3fa16a5903b1ce
SHA512 de11ec7e80e2bcb036b3a9f72687a93ff59327900858e9bd74a544b89bc816fd301b77def042d5b2609b437201c237569f3bb50ed74d4f23164094ba20251a0e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bcf100ee96d37061e0a22892db2a80ba
SHA1 62c6ead8d366072ffc4930e5b494abafdcd00fb9
SHA256 ebfa292769b3751aa70807cf6a2b62299fcd53edb4ee44cd621bc51aa4cfe3ba
SHA512 defbe328ff861b8722144caa9bf83978b21b040689967567b83ac510a375593b3101af723e727ee370cf111695b5ed6541a63a82b880291ba1b07cec8665948a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 13e781d7a7c1acd68fdd5043d9f696df
SHA1 685b4be8d3ded16607e1bb64da8e0ffebda4f7c0
SHA256 4d70353c5c8f4f57689fcb154b251e06ca503aab10494f0769225b87815454aa
SHA512 9cabe2a1d99328ed92e187501740d8fa1aaae55166bf27fc662401cd45df08a8ce482f1f3245238fe3d666c4cd43303394e0b1feb1c869e6d07707555453d6ae

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d61c16cc7ee17436fd9e2ba469c50c04
SHA1 234eba21cad70cbab2cd44d17e97dc216b0ce4d3
SHA256 c2f565165a5b94baa5c82e9f336ab3d3208de0b66fd8326b93c9fc93f0262787
SHA512 a8664de3cab922cfc81ef30688770206a578dd6fa154299b1eeb79c88bc306201ff568577cf7c812d967dd1da93258da05e8906c877b3f5ec02f46a8df8c5527

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bf270520f70cc2a58d4057187537d925
SHA1 e9073d9f4c769fd0680b286f869bb98554d17ee6
SHA256 3d1c61eb881d0e09a618c5c683e4943c96aa6d634938389fd8052aa4071ea994
SHA512 31a3babee0f04fc30eb99907c308d9ad72b2ca97d4b1b9db17eec1a80c432c07e42f01689db1174d02fd9bfde34d6d4c2b11242dfc91c8b3f6caa603ff666814

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 af70c723a01da2295cbdb6cc46f6b1f2
SHA1 4fae1c66b97f0f45644562f0d0db399578a94805
SHA256 0caadb288285257ab5f9efecb4980cf6e5f67dc9921e70910b3ed5d6fbd01390
SHA512 7d9c7b043ec182ecf34091afd9956b63c1c445f029711f1be21cffa04f420a8036ea429f0e3aad9add278fdd80b655e99062a4be4fbc1f9249894da431408fcb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3aa758df99dfbfb61902a0977e599d00
SHA1 99777e3dcf31da70f5846b8466d679dffd4a7061
SHA256 b49afb146182c3a3e0a3d70d917dbf7ebfcf6cce14f52b62904d0d311d673ae4
SHA512 32fbc1266af2d82224791e51b3d8fcd517c3fb0e8df5a6f9374d382f11f851ec8d62b52a77d3336ae46ff465a560d86b3fb37333ece655400bfc93eaa4024332