Malware Analysis Report

2025-01-02 13:33

Sample ID 240318-f5r2gaab3z
Target d2b20caa1cb3ad7924b69e439e7a744a
SHA256 0d29a8e6361f44ed95c6c67435635a7622e11ab2f03c6f1f5bc80d3856dbde78
Tags
cybergate cybergate persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d29a8e6361f44ed95c6c67435635a7622e11ab2f03c6f1f5bc80d3856dbde78

Threat Level: Known bad

The file d2b20caa1cb3ad7924b69e439e7a744a was found to be: Known bad.

Malicious Activity Summary

cybergate cybergate persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-18 05:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 05:27

Reported

2024-03-18 05:30

Platform

win7-20240220-en

Max time kernel

147s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\1792.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1792.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\1792.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1792.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V} C:\Users\Admin\AppData\Local\Temp\1792.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\1792.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\1792.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\1792.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\1792.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\1792.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\1792.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\1792.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1792.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1792.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1792.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1792.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1792.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe C:\Users\Admin\AppData\Local\Temp\1792.exe
PID 2908 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe C:\Users\Admin\AppData\Local\Temp\1792.exe
PID 2908 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe C:\Users\Admin\AppData\Local\Temp\1792.exe
PID 2908 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe C:\Users\Admin\AppData\Local\Temp\1792.exe
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1792.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe

"C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe"

C:\Users\Admin\AppData\Local\Temp\1792.exe

C:\Users\Admin\AppData\Local\Temp\1792.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\1792.exe

"C:\Users\Admin\AppData\Local\Temp\1792.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\1792.exe

MD5 5a7ea4d892241c9064377d066a81a204
SHA1 c3e7d4f33d70370263ce16e5f30036c1c6380c3d
SHA256 d2e43ec34ac6a0967904d442b07be36bfd75df1df77b36f4bfc764d1cbc75691
SHA512 71287f40c8c6c73bf88845a32523fb386fbf8cd87cc0563fccbe17b570396ec7fa3e590a735ede34f1a484c45db0321b3c55bdbef77ba2d1435389b2837129cf

memory/2908-6-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

memory/2908-7-0x0000000000B30000-0x0000000000BB0000-memory.dmp

memory/1100-12-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1052-258-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1052-260-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/1052-537-0x0000000024070000-0x00000000240CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 675259725056e9ba1e0ef58aaec57a68
SHA1 b4b507f53f14d9dfcf24e25496efaf19b3bd9145
SHA256 b35140a93b67a9c58579a9268d5568024e2b3ae54eb73c45faadb5854e522c40
SHA512 df35bdf78bb1294bc05623cc35f65bf6e7157c77a1c302a5a7c044d140fd80efbeaef5ea6219bc3f322ac58d708eb63b7a370aaaf23ca77d3f5eb867df766279

memory/2908-657-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

memory/2908-845-0x0000000000B30000-0x0000000000BB0000-memory.dmp

memory/2892-847-0x0000000024130000-0x000000002418F000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2908-874-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5c9294e28fe190b95892afd184a40aa1
SHA1 f145b366d1a83b7d0fc694e1d7d580e2b480fd06
SHA256 44b0ad0fa037b675b4b0c42c3055ff31f04ff28fb373e9e9b257d834c1b213b8
SHA512 8e38460644dd47113d7e7c4d6aebb6596ad1731900fd7f0407312739031793c52360ab44b2517af4c0e6b31c3ebaa39455fc84fc7fb829eecef8f51d45de9057

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 55fde51772879845727dc51bdbb46344
SHA1 83450d22546e89e92744981c6c73fa58ed83f282
SHA256 ba2f2f6f481ae09a9ca2edd3baaea97edca8af38ad8b68b631aedf6607936e49
SHA512 966155a3168477c3d62c37641fdad7c38fd439a7f9da3dbc650adbe47aeb1338ea5da1187c10b3f938f150bd5515df0e2ac8bccc061fc6591158b28cb835dff0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0fdb5da48a5811a7eb5733f6290b79b9
SHA1 f9b6646b13b22d48c8ad479004865209b453fc78
SHA256 6f91628bcf2f152347d217fadd1e72d57427749e4e5d04b907c2df5bd3928161
SHA512 cf290ad15bdeb20c0b40c7d05b199d36496a186cfbcedc1fa5280b10f35de9ea0d8cb03800175a1669a0c17e50f45bcabb5d7e1cd823cfe8a3efee016f54970c

memory/1052-989-0x0000000024070000-0x00000000240CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a98ca2350f3013a4477f5fb10fe3700e
SHA1 8ecebe5aab3617a4e9d6398bcbdf20e371a32888
SHA256 395b61c6adf102ef85ae81d55ddb79a670c9b6c5b50a8a0a1b8da50fdc3871ff
SHA512 3d0172341e350bba4908e22ca126aaef7c6fd7fb525e7c1a91e33849af99e6f48a5ec33d19e1216fc412a5658a5cd5d646884793b8fbed613dc9d73d1f2bb24d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5cacd6a29c463998318083632fc22274
SHA1 e42298eff5b54839bbe2e962fea682bba626bf4f
SHA256 1245db6c2c048365f5a223aee88c56fe73f1c7beda529adb97dd218214cbce76
SHA512 a8d7e237cd79b588e44f5f4c4132df4d688382b81c5453c63fb30a858670110d991f89c80bd673f5cf539f98b2602c1f18ce885db1ecbfdd7833fcee20558754

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2499bcda32b442533c8fb5aec56ea16f
SHA1 6bbbce89021cd3574bb98ce54ed7ab0cfd3b6819
SHA256 8185bd9b5a82278d9a8bd4a048f16c4a3db8770aed5ad226c0df22934e180b82
SHA512 87cfa2d15df0418658796bf136e3843b26a6b595b2f17110b8ec7545e655a0761c5c3e128082b92e1341e8ebbc1a236ceee45a971f480fc55a01061405347528

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fb8a4676aa754e6ea4cd3dbaa8415d81
SHA1 560270edc533026bc522ff63aa5d42a8ae90f317
SHA256 75a54d3cf1bf00de36466ae49a727c4c6503b32a0147c5e153c79cd177f2446c
SHA512 ea663a1d19abe1ee74215c0ab1e344b5652ee5debfba79a790f10e9d1b53f0d8c894404b6057a71023ec119e8725bc9c72107d3b741c18fd1ea478df3bdba562

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c394fd26b5cf672cbeac5b1c79793304
SHA1 6105eedb838f15483a07b8027b53d1ddc828af2c
SHA256 a47ce144aeea236f6464027e9995e28ede52f19d032b665e0ee868c412ac452f
SHA512 86a0db37735022a5821fcc069b2cf2846452a389bcb1973b5466879b72114736e401ddf07ed78b141cb55ef07bab3f99760f955717cf94e54683515879fc759b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bd20312d4971993f8c5e580f514a9677
SHA1 c67a3251003b0965d49568f0852e6fae620bdc7c
SHA256 8998d3fb041052b054228ffc6c56a1c50a01a2fcb1f9c27be66b552bb1b25e51
SHA512 1b4e7bd90b8a92b498adb4b4a9500ed07f8209fbeafd50be75f6679c8fdc7276c131e0da1f2feb258b8c1bd8bb0b37a62f30874f08433a2344d479bd70f4310c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e716fef6dc4686c8075f96b2cefe9863
SHA1 68c798f1269d861dbd9c604e025459c472342251
SHA256 ee2e6b50b7ef9601d85718cf3a55d5fec48887924fd3b0f26173ac8c5c391f15
SHA512 7067f44f14af315371cd6c52c82e483b78361d1834e2cf8d5c780c6645e42c28033d771a4dc887211f5353e3b987b242b32ba218e67f45e6ce8fb4160fe9a0f7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9b265f5609be9eed627410c78914f89a
SHA1 e2fbe2e8fd2e5d6e571ef2e1ca397cd41c40ed46
SHA256 b6329a47143d443fec9e4a1bc23f49b73c72bf5780deec2ad3940febd80cd658
SHA512 89a4385559d7745d0f02edda986ab69a1430bd71e23c65727c7949384d727b92ec00eb6c459506aef4961278a0a3f41ea9942516fa7cfcf339492f2a10f2d307

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f0455967d6b4c2ed6bf660abacf9d7c7
SHA1 02c3555def0575e64d4143724a2cc4a97aba20bb
SHA256 8b255baa9f3658129c3c9e305d9392c8e31cee53b81ab1d1611c533b84f63c90
SHA512 7cbe71927ee669642e99070258cb813afd7dc84086a54565ab2f363917c7e7b7d25735b7140cc424c5a2ebfc00c29976acf78214ed730ebc9d7007ecfd9370b6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0716e3141e1b312bf3583cb8eb964351
SHA1 a3f3c11a58073186a4de9b0a7780eae152529af4
SHA256 3b05df34af26371b8802fe6782bd3810591cf919391835aaa205ca9f9cd6adca
SHA512 2ae528a1e91b795619030104383e2ae183ffae90afccfe9d89c91e028aa8e6cd97c38e0d907bde39ab6299a9c514e0f6129f107e55814e988e3f080308da5d8a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2d417511da9edf1885a1b517af87d4f1
SHA1 7dedc802bf38b1e0b5552aad952774e03d649515
SHA256 30e2ec2ab22d4895f20537a50e3f960e4d634b79e890ec5d6f4aa1a81311b0fe
SHA512 569c63748671847ab1c118796ee60fa31259e18e33d89340e28abc7c60b7c7757419d1a0a94e06794f0abced3d605fe7057d62be0141ff9518b30e6b3af99b6b

memory/2892-1763-0x0000000024130000-0x000000002418F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2ffa3ed504e1c67cc9cb02294ac8b919
SHA1 2e34709402cb430d79b1e14447b335acaf07ba55
SHA256 05a595416e79e678545454077272742872e3120c293ad1f9c525028b7212fe8e
SHA512 94108fe90c34b4cf90392d0eb560549a85c22af2a57db920e2fc61d4088b897458bc14fd4408f981462088f511b9122b799c8cd32acea191aeea85aba0750f7f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2456ae3fa108651124a12a4c8b3088e9
SHA1 2e268c8b596fe4fe44981246eed40eb2eb07f7a3
SHA256 c2cae8d70a29896f2588d9622fc93d86eaf755de28e7966b71c356f01a70a9cc
SHA512 6bd36334ad6abbcc496852d01cad3e919517b53e04f97374006fbca9a1a4a0434418d664921facc7f46f50be0bc51301b2d3351e21ad41863663cedde4efeced

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 72a98ca4cd39518d8a103f3c6f3054be
SHA1 cd7c9115ab61bfff7252f9f3ba4813cb6712e5e4
SHA256 5261501b698fda3414c8de5a5edb50227aa916be3376bf204e66597c418c865d
SHA512 732252eeb2c361fddaca7e38a1158c3bcca1ba68be926472454afebf79793a314e1b12c323fae0ee5e70cfa92150b0cb454bc56054fa997e362966d5a4e55d84

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cb617bf82e65fd1d1a85ccb788009cb2
SHA1 9f5a3d8eebcf04a0b6e3522f10c1321da173d955
SHA256 f66793a80bc8ef35d737dceba12dfb079a237dea61a3291a8bb10ff7e3244a3e
SHA512 8ecb0933a8e7d2e1097ab770482ba59772d1cba3553538fb3aecf88cb6d659ab33a8cd6f4cf945570f255e8b6316f1efda6b6a4361ab76ffa5ae7c6493429407

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 731f58cc006c0a40c649a75780d0b700
SHA1 b501106fa90eda5a0a307cc1c365cc5605f3611d
SHA256 be6cd5ce60483892370b11df6b0ee03982143b7db794d875c74b52589d3a5988
SHA512 e96b4df4204fb784a8df216f78b6fb02b6c66b494a4182f84b5da93d54ff3efd7be589d6643fcc938674b3e7994611ce192238d214de98998c7faf72269f50a2

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 05:27

Reported

2024-03-18 05:30

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\210.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\210.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\210.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\210.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V} C:\Users\Admin\AppData\Local\Temp\210.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\210.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\210.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\210.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\210.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\210.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\210.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\210.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\210.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\210.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\210.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\210.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\210.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\210.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\210.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\210.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\210.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\210.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe C:\Users\Admin\AppData\Local\Temp\210.exe
PID 2900 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe C:\Users\Admin\AppData\Local\Temp\210.exe
PID 2900 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe C:\Users\Admin\AppData\Local\Temp\210.exe
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE
PID 3680 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\210.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe

"C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe"

C:\Users\Admin\AppData\Local\Temp\210.exe

C:\Users\Admin\AppData\Local\Temp\210.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\210.exe

"C:\Users\Admin\AppData\Local\Temp\210.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1848 -ip 1848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 568

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 532

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2900-0-0x000000001B680000-0x000000001B726000-memory.dmp

memory/2900-1-0x00007FFDF92F0000-0x00007FFDF9C91000-memory.dmp

memory/2900-2-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\210.exe

MD5 5a7ea4d892241c9064377d066a81a204
SHA1 c3e7d4f33d70370263ce16e5f30036c1c6380c3d
SHA256 d2e43ec34ac6a0967904d442b07be36bfd75df1df77b36f4bfc764d1cbc75691
SHA512 71287f40c8c6c73bf88845a32523fb386fbf8cd87cc0563fccbe17b570396ec7fa3e590a735ede34f1a484c45db0321b3c55bdbef77ba2d1435389b2837129cf

memory/2900-5-0x00007FFDF92F0000-0x00007FFDF9C91000-memory.dmp

memory/3680-11-0x0000000024010000-0x000000002406F000-memory.dmp

memory/744-15-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/744-16-0x0000000000490000-0x0000000000491000-memory.dmp

memory/3680-71-0x0000000024070000-0x00000000240CF000-memory.dmp

memory/744-74-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/744-75-0x0000000024070000-0x00000000240CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 f1c92c8cada7c0b0c0e51cbcb519e8b6
SHA1 e012cc64c26f3cd1728bfa943b06448f7ec7a45e
SHA256 69561d11acc9a32cb9e6f66a4b6e0b9d6e3af12961e30c89d468842f009b28e3
SHA512 cdda812d010e3240c724ec285dc2d1cba54eb929621ee9c9fbb297ec925dbc7d5b11fe5bc199cc9efb7850981efc4d0ec61e84b7a392e6681ef59fa51e18ee05

memory/2900-102-0x00007FFDF92F0000-0x00007FFDF9C91000-memory.dmp

memory/2900-105-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

memory/1472-147-0x0000000024130000-0x000000002418F000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2900-166-0x00007FFDF92F0000-0x00007FFDF9C91000-memory.dmp

memory/744-175-0x0000000024070000-0x00000000240CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fb8a4676aa754e6ea4cd3dbaa8415d81
SHA1 560270edc533026bc522ff63aa5d42a8ae90f317
SHA256 75a54d3cf1bf00de36466ae49a727c4c6503b32a0147c5e153c79cd177f2446c
SHA512 ea663a1d19abe1ee74215c0ab1e344b5652ee5debfba79a790f10e9d1b53f0d8c894404b6057a71023ec119e8725bc9c72107d3b741c18fd1ea478df3bdba562

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c394fd26b5cf672cbeac5b1c79793304
SHA1 6105eedb838f15483a07b8027b53d1ddc828af2c
SHA256 a47ce144aeea236f6464027e9995e28ede52f19d032b665e0ee868c412ac452f
SHA512 86a0db37735022a5821fcc069b2cf2846452a389bcb1973b5466879b72114736e401ddf07ed78b141cb55ef07bab3f99760f955717cf94e54683515879fc759b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bd20312d4971993f8c5e580f514a9677
SHA1 c67a3251003b0965d49568f0852e6fae620bdc7c
SHA256 8998d3fb041052b054228ffc6c56a1c50a01a2fcb1f9c27be66b552bb1b25e51
SHA512 1b4e7bd90b8a92b498adb4b4a9500ed07f8209fbeafd50be75f6679c8fdc7276c131e0da1f2feb258b8c1bd8bb0b37a62f30874f08433a2344d479bd70f4310c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e716fef6dc4686c8075f96b2cefe9863
SHA1 68c798f1269d861dbd9c604e025459c472342251
SHA256 ee2e6b50b7ef9601d85718cf3a55d5fec48887924fd3b0f26173ac8c5c391f15
SHA512 7067f44f14af315371cd6c52c82e483b78361d1834e2cf8d5c780c6645e42c28033d771a4dc887211f5353e3b987b242b32ba218e67f45e6ce8fb4160fe9a0f7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9b265f5609be9eed627410c78914f89a
SHA1 e2fbe2e8fd2e5d6e571ef2e1ca397cd41c40ed46
SHA256 b6329a47143d443fec9e4a1bc23f49b73c72bf5780deec2ad3940febd80cd658
SHA512 89a4385559d7745d0f02edda986ab69a1430bd71e23c65727c7949384d727b92ec00eb6c459506aef4961278a0a3f41ea9942516fa7cfcf339492f2a10f2d307

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f0455967d6b4c2ed6bf660abacf9d7c7
SHA1 02c3555def0575e64d4143724a2cc4a97aba20bb
SHA256 8b255baa9f3658129c3c9e305d9392c8e31cee53b81ab1d1611c533b84f63c90
SHA512 7cbe71927ee669642e99070258cb813afd7dc84086a54565ab2f363917c7e7b7d25735b7140cc424c5a2ebfc00c29976acf78214ed730ebc9d7007ecfd9370b6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0716e3141e1b312bf3583cb8eb964351
SHA1 a3f3c11a58073186a4de9b0a7780eae152529af4
SHA256 3b05df34af26371b8802fe6782bd3810591cf919391835aaa205ca9f9cd6adca
SHA512 2ae528a1e91b795619030104383e2ae183ffae90afccfe9d89c91e028aa8e6cd97c38e0d907bde39ab6299a9c514e0f6129f107e55814e988e3f080308da5d8a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2d417511da9edf1885a1b517af87d4f1
SHA1 7dedc802bf38b1e0b5552aad952774e03d649515
SHA256 30e2ec2ab22d4895f20537a50e3f960e4d634b79e890ec5d6f4aa1a81311b0fe
SHA512 569c63748671847ab1c118796ee60fa31259e18e33d89340e28abc7c60b7c7757419d1a0a94e06794f0abced3d605fe7057d62be0141ff9518b30e6b3af99b6b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2ffa3ed504e1c67cc9cb02294ac8b919
SHA1 2e34709402cb430d79b1e14447b335acaf07ba55
SHA256 05a595416e79e678545454077272742872e3120c293ad1f9c525028b7212fe8e
SHA512 94108fe90c34b4cf90392d0eb560549a85c22af2a57db920e2fc61d4088b897458bc14fd4408f981462088f511b9122b799c8cd32acea191aeea85aba0750f7f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2456ae3fa108651124a12a4c8b3088e9
SHA1 2e268c8b596fe4fe44981246eed40eb2eb07f7a3
SHA256 c2cae8d70a29896f2588d9622fc93d86eaf755de28e7966b71c356f01a70a9cc
SHA512 6bd36334ad6abbcc496852d01cad3e919517b53e04f97374006fbca9a1a4a0434418d664921facc7f46f50be0bc51301b2d3351e21ad41863663cedde4efeced

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 72a98ca4cd39518d8a103f3c6f3054be
SHA1 cd7c9115ab61bfff7252f9f3ba4813cb6712e5e4
SHA256 5261501b698fda3414c8de5a5edb50227aa916be3376bf204e66597c418c865d
SHA512 732252eeb2c361fddaca7e38a1158c3bcca1ba68be926472454afebf79793a314e1b12c323fae0ee5e70cfa92150b0cb454bc56054fa997e362966d5a4e55d84

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cb617bf82e65fd1d1a85ccb788009cb2
SHA1 9f5a3d8eebcf04a0b6e3522f10c1321da173d955
SHA256 f66793a80bc8ef35d737dceba12dfb079a237dea61a3291a8bb10ff7e3244a3e
SHA512 8ecb0933a8e7d2e1097ab770482ba59772d1cba3553538fb3aecf88cb6d659ab33a8cd6f4cf945570f255e8b6316f1efda6b6a4361ab76ffa5ae7c6493429407

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 731f58cc006c0a40c649a75780d0b700
SHA1 b501106fa90eda5a0a307cc1c365cc5605f3611d
SHA256 be6cd5ce60483892370b11df6b0ee03982143b7db794d875c74b52589d3a5988
SHA512 e96b4df4204fb784a8df216f78b6fb02b6c66b494a4182f84b5da93d54ff3efd7be589d6643fcc938674b3e7994611ce192238d214de98998c7faf72269f50a2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e2b6e1d6453d76cbdf46b8862283a1fa
SHA1 66e0cf669b0f1190496e6fa24075ed04d4130c8b
SHA256 d9e385be1286cfbd15ad7cbb0aeb4fa4d165a59e12cea0bf190886530fb51812
SHA512 a5f59b3f04c0092933166fe92aad21e6af2dd985f9253c7322c522f1d5da6756a9e0fca5da4711d2b4abfe9033ec350240ed3b29525e90ae48bbd2ebe16b0385

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 44634653644314d3712eb6a038e0d288
SHA1 9604bca9679d3413db614aa4b10b920ae85da057
SHA256 b7668288fa06de7a648555a38d5ba01f6a922bda44960061ab45fb3db012fcf0
SHA512 daa1e93afc81b51a1d3d3af89d33fb6303aa81ded406caa1f53c9143e69fa890bc7dc6c43334d0e749ae0105ed8646a282147552b794e7a92202c6cff2d7ae83

memory/1472-1482-0x0000000024130000-0x000000002418F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7a4d8a297a534930607777103b8f6e1a
SHA1 3bf3d46c234e270314df21874e34e2235eff815e
SHA256 d42beccc1caf21aedbced9c02bfe32ecc9dff6eca1430b56d477ada4ae27fa4b
SHA512 2193cd184539d4c7cd132c53147b8d4e93229c13b4a126303188592c4da2b23cb715b4d56f107dc3a49c7d24b4e727da0e6884d011b706a510ba6714c4918bb8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 544c7b2677563fca743eb6ca4c36a953
SHA1 c77b5db2b3a1d45d5a759576cb74d0828e32ee1c
SHA256 40f23207741c3c4f9cde9b44808541df5ee11768150a254a813329b99f3bbedb
SHA512 95c81d6df50e1fdd32d74410d243e4bd7c8118eec6bb94fddd60e23ccfcbb552724f1d945de0ff79d94ace639fd733c3ef89d21545c0c165715deb565a815d0b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 21620052e746d14f6c64e7984461ec37
SHA1 ed08aa9d120e53d7dadb36be4e00d1c3de0eff63
SHA256 83d61e7ad09fa32899470e353fed29cd12240aa4e997e5fee6fc4426f7d47b4b
SHA512 f42edd9dbb625ae0e481b7e0c3a8d3a1a29ce75217d07fd5344c1bd3676fe76536f496b708c21daa8e37f4e15afd51c37d0190d8a21b389437a4f795ec882d37

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c27a7c4fdd15760aa04f92e517d0d7f0
SHA1 131a9b086ed8b8111617b6157a070ae252ff0521
SHA256 afe77c9e4b4135dbbebccdace217b6961e0da774123b7e4afa65e22028961b3c
SHA512 2cae05885a60f1bb7b800f6f087452e1fa0cf48426db1a0ee9c1dc69f8591bc1981013d947e6724fcd3a1743d29100e9250153d457efe59be130c6031c9ac5cd