Malware Analysis Report

2024-09-22 10:39

Sample ID 240313-a64h1afh2x
Target c48c03e6b3bb2bde1606ba3933a1c064
SHA256 659226164c9602e07740b7c86622b18c697d507836d3270dbf97b207224c4b56
Tags
cybergate remote persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

659226164c9602e07740b7c86622b18c697d507836d3270dbf97b207224c4b56

Threat Level: Known bad

The file c48c03e6b3bb2bde1606ba3933a1c064 was found to be: Known bad.

Malicious Activity Summary

cybergate remote persistence stealer trojan upx

CyberGate, Rebhip

Modifies Installed Components in the registry

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-13 00:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 00:50

Reported

2024-03-13 00:52

Platform

win7-20231129-en

Max time kernel

148s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3} C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 2028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 2028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 2028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 2028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 2028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 2028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 2028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 2028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe

"C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe"

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe

"C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3044-2-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3044-4-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3044-5-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3044-6-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3044-7-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1204-11-0x0000000002D50000-0x0000000002D51000-memory.dmp

memory/1156-254-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1156-304-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/1156-536-0x0000000010480000-0x00000000104E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 95b263ca37a6cfd19493523e45c6b292
SHA1 6b83cf20415b9cb0f0449e0e2be64294c555c1f4
SHA256 5c511e9a8ccdc3d76f918df721d12228e372f18d47731967c9a97b18971e7d6e
SHA512 745f06da218950b7b8aed195293448c8e5e757067d3e8070ebd59b5a8fe9fc410d0af817d0e32723c8d004432b55999e1594efc78c6892742b550d489f1a5036

C:\Windows\SysWOW64\install\server.exe

MD5 c48c03e6b3bb2bde1606ba3933a1c064
SHA1 2cc8efa2b9a3e45a5d90ee27097c41896201cbcc
SHA256 659226164c9602e07740b7c86622b18c697d507836d3270dbf97b207224c4b56
SHA512 b73affe5d9646bf4a28877edaca26f01529bb5b1d4e09a533c3d39852d396451c0f6067d4ff5c226d39472f337398c1cb1c50db9df5f8ec68d2ee54356ceb375

memory/3044-849-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1316-850-0x0000000010560000-0x00000000105C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\cglogs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/1016-878-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1016-881-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a3a2e3f09fa7ee0330ef356f5d00f5c8
SHA1 3d4a2a240bc7a85c5e648a7a10a823af8592a0ff
SHA256 5df5bbb4ff3e4650ea86ffd53e20eac6be8b3bfad693f2db666a92da7fdccc0a
SHA512 07bb2a186b8b548535e99cd91d0e5c05ead29e72732184f71045eb380b3c11a3256ed9686f3fb7fbcbaff1b7dab30fdc34a580c82fde0b44c7093be6ac71f352

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6513e10a5d26a4b9af1cc219379d3932
SHA1 57774645fe2d760d0759b885328d9572a6acf767
SHA256 00d0d445b3534106abf6f2a2ce0f485f523035fa4585d0cc7922c6aec36e61c4
SHA512 f5e5c5b66145fe3be3d1f03d8a51aa44a3716221c0ecdd596d19849c905be1a9b85359c017bb60d7f1e0aea054785de70929871f9bbb7c4cbc404229ea06956a

memory/1156-932-0x0000000010480000-0x00000000104E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3605d3cacab0677c0cf4c8f712beae0d
SHA1 ae1c8b4c5347f9a257ea88574251b169550ecd4a
SHA256 3eff209ce8462413158b2d643d7daa17cd432d41923cb9fcce4a5201dc6c91bb
SHA512 945ba0f6e57fd0dc92ded78bc1dadb6030e5c01f9b47c24de5382404e735f89eb55b7660d98b88818cd51f5fb60f83c3f9ca4e004df30019365786b846f69e6b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 394c4c99d33de21667a4362729ec6a45
SHA1 ae14afaba223202f85f9c0ace3b8d495c2bf0c36
SHA256 ba9d07f4b2ccbdb5dead4addb899792efbc85284af12d093c0c80a3666ab6aed
SHA512 622c41b396058a655bf8f8399266b1caf15996b11ee948348b194dce5fff45f8f7286a43e3878dd8380e9cc6b6ca2a95a7115331768da7da066961706fde6415

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 abe16d92b9e6feb2098a22f95747028f
SHA1 da99cbcc0cd0ac7acc5453234d77a00ed24ea7d3
SHA256 4d5c5d4702f1347c2411260e9ce9ea43089316071a25545a9c0266cb405763ad
SHA512 a82ea2a7be3a8bb41db8c90660f94e94e2953e762c429c2edacaad60d7ecbe3d6b2e93ce52116f9df887cd6d7e5006a15fc660ee26ba1d912a67e3ac0f6b89bf

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b7e9b7c2773d1ba8848d001e6a51446e
SHA1 37195cdeb982a726582a212843a21e830a21d392
SHA256 f207f7f2d5249cc1a1f79198fba39907592867d3dca334932bacf5744692f42f
SHA512 7bd4e9ac9f2820407e4b522c403eb728c67a25d8cfcbee1e139457db60a0d53e080aa6f93396d9393a64c109b37bb1b48870b733f5e9009dee75797595da8dd3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c521edbff8ee66a2c4a13a9b9fd3bf7b
SHA1 5ee01bf076c6098db51a9eba89fc8d52493ebc54
SHA256 7379331c883aacfdbdc436a0bbf37dd8dd4dd66f85e299ad987321d9a042e9fb
SHA512 bf7e6f2460371b82d782a9050f457e7558ac9535fa69df93a6c6d52eea69b920f38e93c1ac3fd16c459ecb82b00048df765505fe47c5b99c6a158612e56f779a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 65a1af38189c50777abc38e95acd0141
SHA1 4ea2671bd0ee30647136232b5a3d8fc42a9d2b8b
SHA256 fce96eb675da522eff8d078967bb45522c1dacea353cdc42ee13b934da50cbab
SHA512 c7b891fab45e4e5763d53e35624868a84e5a570734d7177e158de02f913efbeddb1f50b9fd2aa893b236a7aa3f9730a4bf19f6e2fdfd83bcd65d3debd9301c07

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dfd40db1a5ac4e47f785fee37d988f4b
SHA1 f8e002e340f9ff96d58299deda2a8ee9ebf9d4b8
SHA256 68f24c47110fd079e05f1a25f46e2b3445b868076892e0d9a2c6ddf6bad8652b
SHA512 f89a000716aca411f77614b43dc579709870ff32bfde38638e1f255f8a01db211ed783306f1ac83e33f6a246823b5bd705de303e34c04c407c341f1247594264

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 52487f67988b549e9d67c87966c44ad3
SHA1 d3847e3b32c9dbf4fdbbfbe1f8314680ae8f7faa
SHA256 59f314dfa2dae8dd5fd3073bcacf2c86401d6ea192811ee1295e3c206d9f1c0c
SHA512 485f29099743132f3e43a95c85bfb0d908cbb826b3ebdca00ff2e8cecca2d4170540835963d9bc035affc687d31a1f223db7547e221662b7e1f0edc8049489df

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 31e4d2c862b871b61db87bc03f589769
SHA1 1c852eca1eebf9c81f8047efec441f289752bb84
SHA256 b6c425b7eee323c5f0fb95f2799ebd899a452a06b6f11a452da520d3534854b4
SHA512 754ca63fd525fce808ff2f5b5ec15dbad28865c839b4293bc1c743f10a075cccd952a925d4e2b4532daeb530d0aea966cd480381e3ea62755897eecb7f63bb4e

memory/1316-1474-0x0000000010560000-0x00000000105C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e9ec478b7fc81ff30afb964e2a1884f3
SHA1 b1407dcbe742612cc00eee8ba007bd9195e66161
SHA256 bc6760c5c1bcf6d6a782e3b7303394e9c2ba626f32193b8a7224172f766f57d5
SHA512 64e70177ab7f01ee5bbc0154a61385542b6375fa05e9b2fcbf294893dd6d5d57a0be86ba11188392745a638d379a1a6f4d5b9cacf1f91bc815fd5bb957adc522

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0dde77501aa3545e82e2cef328bcf917
SHA1 bd22714f0f21d4806c0a45c5651643a07c95d7fd
SHA256 102d07742517b2fe6e4f12d27b08416a2924ca7c4b62c851dbb1dfa1453cde4c
SHA512 462506aa4a9ed9a72b4a997297da8b33851463888926de16c2a669cdc85f7c2e662fedb2a1f4cd8a7e26695c3a0e581b5cda2f9e4e3c708ec920403154007acb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 70dbb774adb0f58d86e7c6886f9ed949
SHA1 9e66b77663266b93222b4297efcbcda129077d6d
SHA256 8be020a2539cc9129f8472e6a7d7b9bb4b595459d7b0ddf3c85effd963073999
SHA512 ae92825e00add36262c5333c711a45ecc90d65a3bf3e945c86c410d44c1dfdaa7c975bcb6bc0432154a011602ea48e8beed8d7e23935ac38259e94296c8a76b3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 47d49e4018023b366f56a8e63c8e6b18
SHA1 8400098f1fb7bc65a518ba214904a18bc7565ca7
SHA256 74448383710bae14f755185dd3e62c8a70fd3fc6a5ac91ccb79e76312e43b4e2
SHA512 a875f2c40b666e1ea587812a7d83aa48c8238f2dd58823b28c3fcd3a4f5e7d43da8663195a63fea6b79d37cbc9061aad0b6a6939a05a2de21c1e317a30408255

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bd0d26cb524800b461a048de8981fcd4
SHA1 8f690b33aea03370d3bcbde04dc087852fe3b3fa
SHA256 083bccdfb94f5e2950d39664955d1496e057cea9c2348bae29bc10cfb65637e7
SHA512 ffc7ca07d3ba5325ebf693cb7c919381378b0c242c30f957d89ede2b7dabe1053834d2419a3debead28e9d9285de62ecf1eb27ae2f50226b74b51ff3a0ed5bf2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2149a1e3d51b2f22dc529da60b300370
SHA1 f1c8d4304d5885b5439fa34e4aab8a52735117e9
SHA256 4e1e6cf042bf5b5fca54178d20f34ae799b881cd7660ac2ee5f2befe3bdbb3f2
SHA512 6d46b24226fd884db0c224f41a073a5a1bcb2caee58dc4b1fe0dbe373598859c2c87cf561e1f0c78f659657d7332d9dae216b604b90e09387ba9f68cafebed6e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0652ef583b4d5b0b61082e5b85117ef4
SHA1 ae8eb9f4f4891d14464d4b673b0717cfc04bbc8b
SHA256 f7a42bb071e7728debc67375a8a65880e8471c4f24b0ac22f07ec84ae3804fa7
SHA512 634a28a6fd30fe63f12ee47e4076283fa50f9a292b780bae17094ed0d09e137581cb8e5440e8d29999deb052fd4e4227dcd487811ab03ad207ab2d1cbbc1c812

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 00:50

Reported

2024-03-13 00:53

Platform

win10v2004-20240226-en

Max time kernel

160s

Max time network

166s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3} C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3} C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3632 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 3632 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 3632 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 3632 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 3632 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 3632 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 3632 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 3632 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE
PID 3124 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe

"C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe"

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe

"C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.135.221.88.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3124-2-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3124-4-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3124-5-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3124-6-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3124-10-0x0000000010410000-0x0000000010471000-memory.dmp

memory/2900-14-0x0000000001460000-0x0000000001461000-memory.dmp

memory/2900-15-0x0000000001520000-0x0000000001521000-memory.dmp

memory/3124-70-0x0000000010480000-0x00000000104E1000-memory.dmp

memory/2900-75-0x0000000010480000-0x00000000104E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 95b263ca37a6cfd19493523e45c6b292
SHA1 6b83cf20415b9cb0f0449e0e2be64294c555c1f4
SHA256 5c511e9a8ccdc3d76f918df721d12228e372f18d47731967c9a97b18971e7d6e
SHA512 745f06da218950b7b8aed195293448c8e5e757067d3e8070ebd59b5a8fe9fc410d0af817d0e32723c8d004432b55999e1594efc78c6892742b550d489f1a5036

C:\Windows\SysWOW64\install\server.exe

MD5 c48c03e6b3bb2bde1606ba3933a1c064
SHA1 2cc8efa2b9a3e45a5d90ee27097c41896201cbcc
SHA256 659226164c9602e07740b7c86622b18c697d507836d3270dbf97b207224c4b56
SHA512 b73affe5d9646bf4a28877edaca26f01529bb5b1d4e09a533c3d39852d396451c0f6067d4ff5c226d39472f337398c1cb1c50db9df5f8ec68d2ee54356ceb375

memory/2912-145-0x0000000010560000-0x00000000105C1000-memory.dmp

memory/3124-147-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Roaming\cglogs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/1292-173-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1292-176-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ea7431be0f3d6cb6eb4658eba7189ed6
SHA1 42d95a3879a4da1c47fd7007207b4973e73f4152
SHA256 0774cddb209048aef255d1b4858f08da10b3436679a799c46afd0e3481804770
SHA512 27f2f50fb13b589191236f876d9ecfeff6f0b02e775e3b34055a9c1788454fa5c5c1ab3cb36a319395daaaee9318d53ba5eca7fce1b5b6b84a9b2cc561b3c9e3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dcc940a6f3b09de77e6d98cb30c93b3a
SHA1 62643b8fd014b9f09a5c669b1e46822d1fc18c21
SHA256 eddd8ff6bedf8eca4ffbb5611e194ff2697bab33e580f96b012f2d5ff1c4907e
SHA512 5859209349e9670b5e5ce8f37f446557fff8573779777ddd0fbec30451d90f9466802a2a8907e2f6f0acbf4ca5e9ad0353542615ed43985bb4cd9d5dbc4864a3

memory/2900-255-0x0000000010480000-0x00000000104E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 49dd6f30e0919f98bbcd75d6b52bb956
SHA1 4a2a4e0d1fd0d2fd0ac1f797a91b768f5ede8d8f
SHA256 d985ca9c86261f5fbc643d2923ae8ee583d14d0f19e7f409e3c9a66ecc03e090
SHA512 8620e13f06ecaaf3365c3534a1827e2c9ce0748cc5c117efd97160f62b9930d2de92e5289958091f0cf3f86e5e23859b5df4b845982f8dd7c819207ce88ed5ff

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d03be2a4b6da7789ae324e64ad4ec6f8
SHA1 9a1f64b8af44f87765b2114097a268d49e2aed16
SHA256 fd2087a183da6eb404942c106d75b43bc555481eb28ae41e497a4c73be052a01
SHA512 ec0c2427257a4a0529c40488dc795be6dee762090a4b55130045612aad3e8bba99012a93683871421c9388bdd6a2a1fbd02bc47db76f467257e4e4674eb38c7f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 145a406a72d661923ab744586903c72e
SHA1 8c4ca181b37c06e5b7b296faf0316b4c3407f5d6
SHA256 7020ceef7b63d21bb4438e40283ce7c315f9dba37046fed154c0dcbfd10d9c25
SHA512 dc9fd9ff1e76983d54ec888f132effcda6f3d1a5b673fa348b96243118259e41a58b0f3560802bc2b97d905558b20dca5fe13e301348113e46c4c74414072365

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e12058019dd1a5ccdffa1ba3c13e0bdb
SHA1 ed30832659a8e56d998b73ca24319f5970e5ec7e
SHA256 5b8803ed8cdb397495d91df2f5ed33a28cf85873fd2a118f1ecae9f68ee8ed9f
SHA512 c315354d1d9b8c6990c34aeb5a2e0a71167c530cdece35c0863c7636dc334dee5d4e40b664336985ca1abd9983a849a125d35bbb81eda398dbf5cbc613a05729

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 471c83343e6bc74775719f61adaba23f
SHA1 c0060f5c0259e1d6e2014aab6d0c6ec0c6fadf3c
SHA256 1a2022eac23864372b1542cd978cb85612eb7555c06583cb584eb37ed55c9d28
SHA512 a32bb4254ead6b495cfe96eb3372b29c0543184b93afccb717abded1edcb74711dcb991ed460b9506b65f85c89802f1d97665b0a2fe0436f23393321e8d249b2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 095f5562d88cdcb41ee712bceea20aad
SHA1 9c8b10f299cc8ec3a90e0977f18bf5ed5616faaa
SHA256 04eb189845b93b602866c296211b1ceb2e506a6429d1b2a766b0167ebf534ed2
SHA512 f6796ae80ca311a072d12b661401839fa34106bbf11e52238cadb80b7e4430ddcdd7b4a508747bc97b24f8ff6e484ae1c7230697ec28d232370283def696d600

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5912a1848e61f91c800938f178374f91
SHA1 3860351daff1ccb9099b45e9f2807f800f4be314
SHA256 5fdb40ad3db434d7215aff096080206d6e384832cd21a4e22c9231fbd62f2365
SHA512 ddb52a289a3dc3928e20fea308c5f7596b496b773a7d206912ace9a9be0f1dcbbec4b55cfc135ea96dadc29d389264c27957f828143531225cd753826e31b814

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ad9c273c35fdf3defefa329f70a7b454
SHA1 28b5876bd6c971e43400700d27f14e288773cdda
SHA256 ff8250a9087541cb1feac08e39d37adab3abdef5a2faf2020689fc9fdc612011
SHA512 4b491ce6eb15d9a0e7499b18656396107f63663098c2bbeb6057aed41c46ac6396bb0c8fafb31104b98fee04fa67ea4861860bdf89bdd3fcf7a7268e918b2654

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a06b698cce4e7bf10c07f418080c42e4
SHA1 5402c765952cfdc17e9370c1df8734e217b39f70
SHA256 9a753f0dcad3183abff7a8f794d81c6888970ecf3c98ed87e645f5852533b2f8
SHA512 90c398563a83ceebcfcb11d444f78e9cadd8e0d9e8c1f6f41de5c4f7880b09ec07baad00f0a805296d178d70e4d3532648118abaa2b684e37aebca759365f8eb

memory/2912-1150-0x0000000010560000-0x00000000105C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 65efd070717b256c5f5eb4ceb34021c7
SHA1 94ffa912b82b34bc1c304f0157cc6a9a3f27701c
SHA256 2594592f5fd50087a5b52eb48bbedb860c417269964edffe00ab03a2a688578a
SHA512 b4ecf5138d658db5fde77496c998278fc45523b87e4aaac02670545f0b0fab3a4fe825ad2af36f03fe744923a84ef86f0c83df01368d8d40c2eccf6051245678

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4f35d71cebc8b5b5e80e5a8dab2fdb91
SHA1 54a7f5e2d638af19e587013c76020aaafc2ec633
SHA256 578d8fb5297ad97eb3f224ca8744122e795d587f09d9e4fec51c750c5acf411b
SHA512 2d64046fbdc51d8eb9640b8da75ae3af5e3ca0bb6ae67cc52e883c09fef953f1a425e9e9a941025b62995dd196aedbb291ed7dcdfeec416ffc7399988c3287c5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f3506c086e41cad967bec4f248f63b7d
SHA1 c60efbeadc4e9e32e96d48d5baf933affff66c5c
SHA256 ce7760d8aa05fa386246e18a2fd91b86338f33c7961757e648ebb7d61fc3ce2a
SHA512 56a9f230ca38250a9fcebf5c8640bce53f16855d10ba5936e0aa859ac89bab1c92db46cf75843e2feca631457f801d1cbd200215d7002b76cad4114b9e29d072

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fd3dd6f4b0b49dd592d898c71f1e237f
SHA1 5d610c90aa9be0c19be010c763b20cbcd2f725c5
SHA256 2aced69e02e912c72a9957eabe6357ee3449b3270d801953dedd31f88dd670e2
SHA512 625601d6b100dc81871b406e0b01e3b1d88afe180faf31b4c4f8814a5fa29a666d5abbf68264f3102d81a6dcbff4a2aec2fc076aae8b47fe21bd5dca13f0205c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6a62692695bd52c3a98abcb6bc898311
SHA1 52436e413b99a77a5b330d8c8bfb4676fc4fef61
SHA256 ed45bdee615650491ac01521957a24ece01935afd56ff8b618fb421d27e77969
SHA512 a88cdf51761be064acf661a721bdc837fcd328a84da46566891c03f7c8a3e6f944eb5acecc5d348a21add5968a740096967bcf1de31c342986f43584449a1b4e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8f8a1c56f9bf8d4b3e23663e86bb0c8b
SHA1 8162b39b330a389b7f645ea443e92dbf7ca1f22a
SHA256 fef28d67c47e3c46ec0b10b353ed3db3186bea226adeb4362d220bdcfb8ea3e5
SHA512 32fdd2a5a075b7c6ec138d9af97c9572f3737cb4497c2fc5eb6bbdb40c6172e0e880a4b534d90af9521f09c4326b1cd0c04ef4ecbf943f395edcad97fbad1db6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6818cbee7936fd01c396b888743ad8ae
SHA1 260a56fc92a3f96f7532bdf214b864ab6895e981
SHA256 df5039ae4c7364df65cde71b8f1fadbd78d0958866226cd063cdf935c5aba773
SHA512 bb6ad06a3b5bcfb7bbf3d2d7595a4501f84a228c115de1cb4364141e77b3e04ccf2661b145eca1e0a052bcfc0ede8268ca3cde8da1d7c554142e7e74db23d942