Malware Analysis Report

2024-12-07 20:21

Sample ID 240301-ekjzpacd46
Target b044f5284a7d36a36a3363405207ca06
SHA256 03b2be7dc944c46239c333604a11747707535e0e8c08611a7513015c9cf02e95
Tags
aspackv2 cybergate vítima persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03b2be7dc944c46239c333604a11747707535e0e8c08611a7513015c9cf02e95

Threat Level: Known bad

The file b044f5284a7d36a36a3363405207ca06 was found to be: Known bad.

Malicious Activity Summary

aspackv2 cybergate vítima persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

Checks computer location settings

ASPack v2.12-2.42

UPX packed file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-01 03:59

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-01 03:59

Reported

2024-03-01 04:02

Platform

win7-20240221-en

Max time kernel

147s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0N4774S3-GT68-P0SH-5FO5-3510L8165X74} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0N4774S3-GT68-P0SH-5FO5-3510L8165X74}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0N4774S3-GT68-P0SH-5FO5-3510L8165X74} C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0N4774S3-GT68-P0SH-5FO5-3510L8165X74}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\install\server.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe

"C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe"

C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe

"C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe

"C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\SysWOW64\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1924-0-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1924-2-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1924-4-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1924-3-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1924-1-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1924-5-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1924-9-0x0000000000580000-0x00000000005F8000-memory.dmp

memory/2572-8-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1924-11-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2572-12-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2572-13-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2572-14-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1116-18-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1564-261-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1564-263-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1564-548-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 b044f5284a7d36a36a3363405207ca06
SHA1 0f046e14d8a993e6fb4a1bc61161aa4a03f4aa26
SHA256 03b2be7dc944c46239c333604a11747707535e0e8c08611a7513015c9cf02e95
SHA512 5367291e130dd01ac51f7cc2713be238e5ca5164f9744623d81636850042b8753af2ae78e4ee963c985a2462170dacd87742be8557e13b5e03e2af306f036dd5

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 85c96124d1813f9842126258adf1fe00
SHA1 03d7b951a25f04698e0fa6b62955fab2647cdd87
SHA256 be1fbacd1b3e21c9edafbbe4b6806dcab185b5a45e58ba3a2b5483c9cab23100
SHA512 a4d918c58bacf084a6055ddfac14cfe9895fcc546ee5e51ccc92850fe2defa33e9ca675841d7bea120f5589e1222eecefd362ced5a401ea4eb451c4c06816b7f

memory/2068-569-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2572-568-0x0000000000220000-0x0000000000298000-memory.dmp

memory/2572-595-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2572-848-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2068-847-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/2068-873-0x0000000005E50000-0x0000000005EC8000-memory.dmp

memory/560-875-0x0000000000400000-0x0000000000478000-memory.dmp

memory/560-877-0x0000000000400000-0x0000000000478000-memory.dmp

memory/560-878-0x0000000000400000-0x0000000000478000-memory.dmp

memory/560-880-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1564-882-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/560-883-0x0000000000400000-0x0000000000478000-memory.dmp

memory/560-888-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1420-891-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1420-893-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 62e9c4ca8e975afb6ee3fddf66b85828
SHA1 f4f0ba0f70f2d66fd12611b755e46cc1eb7ba40b
SHA256 6e675024e0366e6c0c9be35d94055f9681820fb46e33adb68fcdc637eadd322e
SHA512 aad2882ebbe88d721ed52c2d64c1e03aaade0a4b1fbce3cba8857939e5e0f1daff79b81aab79288fe5cefeca6376d7434ed56a1bbaaf0a91fd7932471f84ae81

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6abb3646a441ab21e515b7dde1e14083
SHA1 5097d131c476f36a5fd587beb8a00e9a89a90e91
SHA256 6bb0fcc55634f68113b4db61eb49e2de20a0e67e50b12042fe0046e27271edac
SHA512 14770a6673ab280206d28518a49837ac0fdaff152d998fbe60547d0225dd044041bfc8274798f70cff8251f3bd47392b3896ff75b649e01dcc35601d8ce0fed8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ab5294220409e2fba69aa7a0f99d7d90
SHA1 7540a48af21f464cdeeeabcc9a11b3037ddacf06
SHA256 fd6784b8e26aaff662af31d4707588261b1d998ce2d0f21c66804bcf52cdd0e1
SHA512 f3b8b29620bf073e2243a7cc111dbb9bed016f17fade1a582b45dabf353f0f24ad13602225833b7a5a3107c1598c59b6a4132ea948368a60f39d0eaf83254d3f

memory/2068-1030-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b2bf5d412dd2fd304386a3537a74c4df
SHA1 14b81ba80deb8bc89e8c1226c7b0bed06647dda4
SHA256 ff774e30b51ef95b2cb864cb7f1a9283c6b1bdfecc813d6bfc3aca9b5053d7f1
SHA512 f854cee29ce1fe0c892ec28362bcea27c71c877952fcf17216e5505e8c09a997fa0539b5f5af9d9c00200c93571cdd96ec9e520cae7ab2439656e7cc5a47305c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b5c2111ef5392cefab291191c5a271fe
SHA1 07ce177d6c8693920f03c1efaeb20f51c4c0a6e8
SHA256 390a7ae3f269ebe164d8b777a7094051573294df570314a1db2e7da4c71f3691
SHA512 60a70f98e290143c4cfbe918d9e818f3000efce17cf5d60f1321a923d03d9fac18112095376f98a97156c468c33a65d5e84da8cc24e00b22d6117924ee935ff9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 29b3994a8f90b6ce851a79f23e0241e6
SHA1 c2cc5bdddee09e89afae86016c9bbeb547dcb2d1
SHA256 0bbdbda7ce1a2c49a42a221e609da6f41c71ef80f9d808221f6c5d3559aa36a7
SHA512 9e34de26cf0b2d8678b090092a483470524ffdeefc5257ce103512036797f60848aecd1ffa23b675db63e301a4caedefa431d928de58ddba0d55a2eb11d33af8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 68210f06fc86c8c729a18985bbc4dace
SHA1 ea969f370e62febcde9a15414fb6c449ad3177be
SHA256 d168e2ec44742c4437ea29a3704ea992d33fbe3b940a66e49e1244a188256ad8
SHA512 9c08f965b2cf91e6f65a26a696a531a65b0a15262c46b361b780c9d58fd384854cdde56e67aa9ec622a22f7827ca3456bf40e4297affcc7a84ecd0973d83eabc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2aa7fff8d8f5a1945e44b5c281d398f1
SHA1 2a198659d6427c0144db762adbfd8683615f3395
SHA256 f5ebb5e533589f9b3e7924fa604128d79ccbe71e90af35b9019e2a07e38fbc45
SHA512 0775b983f4d17842993c490961d3f9492b7fcffa9840e58373b711a6e2e9f3edb6d9c3a5a2f31865ab845ff8984d3a89a4a08572938657dd8eb549a92255e739

memory/2068-1277-0x0000000005E50000-0x0000000005EC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 686d619d52891f94fb7e44d56080e352
SHA1 14138e045dd7ea3fa83a39541a0e78bda39f2cac
SHA256 068b24e9f14015dcaa895ba413e75d09bf676d745c40ceb0a072cf0ddf5604d5
SHA512 406e5dbcd3b0987cb53e2cd52c375d9d6b2f122992dda589d6414be533ae8e41b693450bd301016c9d10fd59b53d7ed41bf13f50b75b4df7ce3b9af26362c734

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 374d4f4a1ab37f93cd7c3912d84ac2a8
SHA1 4de6f6712ff95ffa24db85451f1c4539a7bf1b34
SHA256 64dd244a3566c6920a52c8d0cc518fae565d23b60dedfe023a45766d62d49199
SHA512 e4cb4004a3e1584f726e91b14d3faa059f330c38b197052c23a2a28d6ddaba623ded5a440e29b43d9631b89b6a5cb6a5080cef267049dae80f02afc66110b468

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1f33c2a63865ad91f74dc9cf3b45c617
SHA1 ae2e751055e95486bde8b32ea81072484e512cff
SHA256 b8a9646ed5bec50963e817db3154eb6eaa10e411817c7514c3a026bea3b257a6
SHA512 4483658df49c98aa8cea14700f4af80b7c1973f48abbc9a14c96d8453061b9f1a76385e0a75f4d9d0d03e650c753d37ff33f84c874b7a4710949f8a01ecb8ec1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ba0c54ad064b9510962d18a912b0fdf3
SHA1 95ecf7de94adda46c26556b55856e3608968b836
SHA256 a446e4f37f994f655b03381725f75a4e024750567a8f19fe71dd13cd109767df
SHA512 2f492c976f67529a1cd1b6db62aa6006834fb5663244e08582ed35d3d4390f6794f56f267c045c1366190e213f91e7042e603b1ea401a94647592f9d84aadcaa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e7ce71682dc0c83f8bce70881aca22f0
SHA1 3c6a0ff59ce4459943cfc50b9f90cc5976c3cad8
SHA256 2665c148757074e51f35182221deef376137fd1ea0f2b78a8cf9fe4af461dc64
SHA512 b4aee142bfaf195a93c468b3126d6b48c0cfd4488767f992067bc498a2a99a163e0e14a971af66e0c81bed48cfbd1e37263c2d783c91e014a5d1e98bb89b17cd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d7af09536fb500272cf5f73163e7e412
SHA1 45b974f55434305c61571e59955d79cb9037aee7
SHA256 94d79bee9f2dd8ff5db78a5cf8001362ef50b61099e439b3b491f6af97d56e37
SHA512 3a63d7524323489e7a95565de324201519bd0ab1683c79cc2d38a4023d8012106320b682bd56f86e9ed132ec6fa862625f5136f27df043ba158b932d7a6ba1a0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8217c34bfd44f6de02c889c1088bba4b
SHA1 9b29142da249e1c9ec1c010227a941a7e115f469
SHA256 1652e1aa3a9f86ae25268d725738d8d25f0ddd77635315087d7ac6275dc69b75
SHA512 504d0058e3780526ef9cf74fb5876e67d17a36f89c5c771e005335649225320593264255adba56ef4dd021aa23a0c7b4792a05f3a2cec6f47121a9a5a97c0663

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 502ee9e516f1d1c026ba8ab66d9365d3
SHA1 ce5eac995596fb68b403b9f5fe49c199c81d3ad3
SHA256 5e2b5afc00e116caba8e3e0c3dd7fa84acfc212af2798a6dd19e67ce14df13f4
SHA512 45c36703b6a1909d06859a5fcb9b1d0d28dd770ff227c11049c0d10663d979f75b057b884b7c562927225974ec457ce2e7e314a9260a56b4785df8c3e9109952

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 21112aab10a238fb91a6820789598088
SHA1 7e176a1b80ad72e5bda8b400f4f7bb15ee453d5f
SHA256 ed0d69765eb20171e663f60855430d4c4e1f8094d30feac9c951c7a250caaa11
SHA512 380fb39736336ec4b1a18af9fa388845b6d2f6af65718a9b2ce4dde6bab6228e261e8c11a0f51cf3dd3fa121f3a1cedc92f06163cc6bf97815fd4645010405e3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2e81d0a01db39496512505d88c74e948
SHA1 1a86351f57ef32e04b760a0509704a4afc961e9e
SHA256 24eb7afe9c203a2975a17871db825e8d7d7a4d683b99166e6c227a0256e2c2c1
SHA512 c8ba0de7abc07b3a45de2c14b91c5f737260d36d0e1869eacfec781610a1634d3ddddb6514287e6797a23ff5cc7d1a67bd69bb879ba8bc12f01370cc78ce2839

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-01 03:59

Reported

2024-03-01 04:02

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0N4774S3-GT68-P0SH-5FO5-3510L8165X74} C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0N4774S3-GT68-P0SH-5FO5-3510L8165X74}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0N4774S3-GT68-P0SH-5FO5-3510L8165X74} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0N4774S3-GT68-P0SH-5FO5-3510L8165X74}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\install\server.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\install\server.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1152 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1152 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1152 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1152 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1152 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1152 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 1152 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE
PID 872 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe

"C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe"

C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe

"C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe

"C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\SysWOW64\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3820 -ip 3820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 560

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/1152-0-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1152-1-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1152-2-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1152-3-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1152-4-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1152-5-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1152-6-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1152-7-0x0000000000400000-0x0000000000478000-memory.dmp

memory/872-10-0x0000000000400000-0x0000000000457000-memory.dmp

memory/872-13-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1152-12-0x0000000000400000-0x0000000000478000-memory.dmp

memory/872-14-0x0000000000400000-0x0000000000457000-memory.dmp

memory/872-15-0x0000000000400000-0x0000000000457000-memory.dmp

memory/872-19-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4388-23-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

memory/4388-24-0x0000000000F80000-0x0000000000F81000-memory.dmp

memory/4388-84-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 b044f5284a7d36a36a3363405207ca06
SHA1 0f046e14d8a993e6fb4a1bc61161aa4a03f4aa26
SHA256 03b2be7dc944c46239c333604a11747707535e0e8c08611a7513015c9cf02e95
SHA512 5367291e130dd01ac51f7cc2713be238e5ca5164f9744623d81636850042b8753af2ae78e4ee963c985a2462170dacd87742be8557e13b5e03e2af306f036dd5

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 85c96124d1813f9842126258adf1fe00
SHA1 03d7b951a25f04698e0fa6b62955fab2647cdd87
SHA256 be1fbacd1b3e21c9edafbbe4b6806dcab185b5a45e58ba3a2b5483c9cab23100
SHA512 a4d918c58bacf084a6055ddfac14cfe9895fcc546ee5e51ccc92850fe2defa33e9ca675841d7bea120f5589e1222eecefd362ced5a401ea4eb451c4c06816b7f

memory/4832-94-0x0000000000400000-0x0000000000478000-memory.dmp

memory/872-156-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4832-155-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/1224-182-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1224-179-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1224-184-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1224-192-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4388-190-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3820-195-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3820-198-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6abb3646a441ab21e515b7dde1e14083
SHA1 5097d131c476f36a5fd587beb8a00e9a89a90e91
SHA256 6bb0fcc55634f68113b4db61eb49e2de20a0e67e50b12042fe0046e27271edac
SHA512 14770a6673ab280206d28518a49837ac0fdaff152d998fbe60547d0225dd044041bfc8274798f70cff8251f3bd47392b3896ff75b649e01dcc35601d8ce0fed8

memory/4832-221-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ab5294220409e2fba69aa7a0f99d7d90
SHA1 7540a48af21f464cdeeeabcc9a11b3037ddacf06
SHA256 fd6784b8e26aaff662af31d4707588261b1d998ce2d0f21c66804bcf52cdd0e1
SHA512 f3b8b29620bf073e2243a7cc111dbb9bed016f17fade1a582b45dabf353f0f24ad13602225833b7a5a3107c1598c59b6a4132ea948368a60f39d0eaf83254d3f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b2bf5d412dd2fd304386a3537a74c4df
SHA1 14b81ba80deb8bc89e8c1226c7b0bed06647dda4
SHA256 ff774e30b51ef95b2cb864cb7f1a9283c6b1bdfecc813d6bfc3aca9b5053d7f1
SHA512 f854cee29ce1fe0c892ec28362bcea27c71c877952fcf17216e5505e8c09a997fa0539b5f5af9d9c00200c93571cdd96ec9e520cae7ab2439656e7cc5a47305c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b5c2111ef5392cefab291191c5a271fe
SHA1 07ce177d6c8693920f03c1efaeb20f51c4c0a6e8
SHA256 390a7ae3f269ebe164d8b777a7094051573294df570314a1db2e7da4c71f3691
SHA512 60a70f98e290143c4cfbe918d9e818f3000efce17cf5d60f1321a923d03d9fac18112095376f98a97156c468c33a65d5e84da8cc24e00b22d6117924ee935ff9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 29b3994a8f90b6ce851a79f23e0241e6
SHA1 c2cc5bdddee09e89afae86016c9bbeb547dcb2d1
SHA256 0bbdbda7ce1a2c49a42a221e609da6f41c71ef80f9d808221f6c5d3559aa36a7
SHA512 9e34de26cf0b2d8678b090092a483470524ffdeefc5257ce103512036797f60848aecd1ffa23b675db63e301a4caedefa431d928de58ddba0d55a2eb11d33af8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 68210f06fc86c8c729a18985bbc4dace
SHA1 ea969f370e62febcde9a15414fb6c449ad3177be
SHA256 d168e2ec44742c4437ea29a3704ea992d33fbe3b940a66e49e1244a188256ad8
SHA512 9c08f965b2cf91e6f65a26a696a531a65b0a15262c46b361b780c9d58fd384854cdde56e67aa9ec622a22f7827ca3456bf40e4297affcc7a84ecd0973d83eabc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2aa7fff8d8f5a1945e44b5c281d398f1
SHA1 2a198659d6427c0144db762adbfd8683615f3395
SHA256 f5ebb5e533589f9b3e7924fa604128d79ccbe71e90af35b9019e2a07e38fbc45
SHA512 0775b983f4d17842993c490961d3f9492b7fcffa9840e58373b711a6e2e9f3edb6d9c3a5a2f31865ab845ff8984d3a89a4a08572938657dd8eb549a92255e739

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 686d619d52891f94fb7e44d56080e352
SHA1 14138e045dd7ea3fa83a39541a0e78bda39f2cac
SHA256 068b24e9f14015dcaa895ba413e75d09bf676d745c40ceb0a072cf0ddf5604d5
SHA512 406e5dbcd3b0987cb53e2cd52c375d9d6b2f122992dda589d6414be533ae8e41b693450bd301016c9d10fd59b53d7ed41bf13f50b75b4df7ce3b9af26362c734

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 374d4f4a1ab37f93cd7c3912d84ac2a8
SHA1 4de6f6712ff95ffa24db85451f1c4539a7bf1b34
SHA256 64dd244a3566c6920a52c8d0cc518fae565d23b60dedfe023a45766d62d49199
SHA512 e4cb4004a3e1584f726e91b14d3faa059f330c38b197052c23a2a28d6ddaba623ded5a440e29b43d9631b89b6a5cb6a5080cef267049dae80f02afc66110b468

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1f33c2a63865ad91f74dc9cf3b45c617
SHA1 ae2e751055e95486bde8b32ea81072484e512cff
SHA256 b8a9646ed5bec50963e817db3154eb6eaa10e411817c7514c3a026bea3b257a6
SHA512 4483658df49c98aa8cea14700f4af80b7c1973f48abbc9a14c96d8453061b9f1a76385e0a75f4d9d0d03e650c753d37ff33f84c874b7a4710949f8a01ecb8ec1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ba0c54ad064b9510962d18a912b0fdf3
SHA1 95ecf7de94adda46c26556b55856e3608968b836
SHA256 a446e4f37f994f655b03381725f75a4e024750567a8f19fe71dd13cd109767df
SHA512 2f492c976f67529a1cd1b6db62aa6006834fb5663244e08582ed35d3d4390f6794f56f267c045c1366190e213f91e7042e603b1ea401a94647592f9d84aadcaa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e7ce71682dc0c83f8bce70881aca22f0
SHA1 3c6a0ff59ce4459943cfc50b9f90cc5976c3cad8
SHA256 2665c148757074e51f35182221deef376137fd1ea0f2b78a8cf9fe4af461dc64
SHA512 b4aee142bfaf195a93c468b3126d6b48c0cfd4488767f992067bc498a2a99a163e0e14a971af66e0c81bed48cfbd1e37263c2d783c91e014a5d1e98bb89b17cd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d7af09536fb500272cf5f73163e7e412
SHA1 45b974f55434305c61571e59955d79cb9037aee7
SHA256 94d79bee9f2dd8ff5db78a5cf8001362ef50b61099e439b3b491f6af97d56e37
SHA512 3a63d7524323489e7a95565de324201519bd0ab1683c79cc2d38a4023d8012106320b682bd56f86e9ed132ec6fa862625f5136f27df043ba158b932d7a6ba1a0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8217c34bfd44f6de02c889c1088bba4b
SHA1 9b29142da249e1c9ec1c010227a941a7e115f469
SHA256 1652e1aa3a9f86ae25268d725738d8d25f0ddd77635315087d7ac6275dc69b75
SHA512 504d0058e3780526ef9cf74fb5876e67d17a36f89c5c771e005335649225320593264255adba56ef4dd021aa23a0c7b4792a05f3a2cec6f47121a9a5a97c0663

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 502ee9e516f1d1c026ba8ab66d9365d3
SHA1 ce5eac995596fb68b403b9f5fe49c199c81d3ad3
SHA256 5e2b5afc00e116caba8e3e0c3dd7fa84acfc212af2798a6dd19e67ce14df13f4
SHA512 45c36703b6a1909d06859a5fcb9b1d0d28dd770ff227c11049c0d10663d979f75b057b884b7c562927225974ec457ce2e7e314a9260a56b4785df8c3e9109952

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 21112aab10a238fb91a6820789598088
SHA1 7e176a1b80ad72e5bda8b400f4f7bb15ee453d5f
SHA256 ed0d69765eb20171e663f60855430d4c4e1f8094d30feac9c951c7a250caaa11
SHA512 380fb39736336ec4b1a18af9fa388845b6d2f6af65718a9b2ce4dde6bab6228e261e8c11a0f51cf3dd3fa121f3a1cedc92f06163cc6bf97815fd4645010405e3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2e81d0a01db39496512505d88c74e948
SHA1 1a86351f57ef32e04b760a0509704a4afc961e9e
SHA256 24eb7afe9c203a2975a17871db825e8d7d7a4d683b99166e6c227a0256e2c2c1
SHA512 c8ba0de7abc07b3a45de2c14b91c5f737260d36d0e1869eacfec781610a1634d3ddddb6514287e6797a23ff5cc7d1a67bd69bb879ba8bc12f01370cc78ce2839

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3243302eba83618dc68c726c12b519c2
SHA1 8c5f44c475271af3dcb5cf2371102387c3854ccc
SHA256 238336f017ac7e947495ca402ecf849007567d1882f20cde2bd0467c59e21df9
SHA512 1e0add36792d7e2b0db026d6c57367a21d13a2b5d7a4f9a5e3c45f003f3fb90908c24b79ed66972e8969614ef6570df60f47b375291aec168ddd657ce7edfc16