Malware Analysis Report

2024-09-22 10:17

Sample ID 240320-e1lhfsge37
Target d7e1163e330ad9205fc1da6476656dd0
SHA256 b41ba7121c306936cf7ef9a834b0d81d8432e8ce6d43e406dff381142965ac4b
Tags
cybergate remote bootkit persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b41ba7121c306936cf7ef9a834b0d81d8432e8ce6d43e406dff381142965ac4b

Threat Level: Known bad

The file d7e1163e330ad9205fc1da6476656dd0 was found to be: Known bad.

Malicious Activity Summary

cybergate remote bootkit persistence stealer trojan upx

CyberGate, Rebhip

Modifies Installed Components in the registry

Adds policy Run key to start application

Loads dropped DLL

UPX packed file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-20 04:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-20 04:24

Reported

2024-03-20 04:27

Platform

win7-20240221-en

Max time kernel

148s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C} C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C}\StubPath = "C:\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C}\StubPath = "C:\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\install\server.exe N/A
N/A N/A C:\install\server.exe N/A
N/A N/A C:\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
File opened for modification \??\PhysicalDrive0 C:\install\server.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
N/A N/A C:\install\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 2972 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 2972 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 2972 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 2972 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 2972 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 2972 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 2972 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 2972 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe"

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe"

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe"

C:\install\server.exe

"C:\install\server.exe"

C:\install\server.exe

"C:\install\server.exe"

C:\install\server.exe

"C:\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3052-2-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3052-4-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2732-18-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2732-26-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2732-28-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2732-30-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3052-17-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2732-24-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2732-22-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2732-35-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2732-34-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2732-37-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2732-36-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2732-20-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3052-14-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3052-12-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3052-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3052-6-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1248-41-0x0000000002540000-0x0000000002541000-memory.dmp

memory/2272-287-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2272-289-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2272-567-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 cdbb904cc101a0c9b9b6eb4fec6eb42d
SHA1 80b540a4ad114766b9f12e66c10742dcf7be1728
SHA256 62b9bdae7a4a088322e06744e99ad833a9731eeed9b9282a0d4396f5a9b9dbd5
SHA512 a073f3d7a8c13c5469265b3b092b44ec4cb350fbc0e2ee3297fc6fc2e040b694fee34f39001c9eceacffa59d18aa6d29a927278da19c5bbdb2f2a8b72bb964e8

C:\install\server.exe

MD5 d7e1163e330ad9205fc1da6476656dd0
SHA1 895d3dda522229f5647c091438b5962901a312da
SHA256 b41ba7121c306936cf7ef9a834b0d81d8432e8ce6d43e406dff381142965ac4b
SHA512 425598727453113486eec90457e7a3794c3ce047639a7416feaeb52d37ec309dbc0a0470b6646fa2c6d5012e32d34c4f2650471b19b39382fe84487147b8c368

memory/3052-862-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2732-864-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2016-863-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/1940-903-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1940-926-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1772-927-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1772-930-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2272-932-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d413f994cee555f60474c9a965882523
SHA1 8d46c1d9687b24bcba1fe987fd859ab9bf2c73a5
SHA256 dd919b991b066c8c07bd94cf46e36d03eca11dba4b512c9c73ac25ccff75d5c8
SHA512 fdbe892b6cb2d23a5286f21a7ffc84be80ea516c74c5efbc4d76b26711eee14412b5accd4f26ee55b4a47b69b3e7c81c855145547b1a3cb7fb961c0346de7e09

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f48fd748513cfc3a7014b86ef62130f0
SHA1 fceae2db7f70c5acf40bf5eb560cb61748c9fa72
SHA256 44c39c8b41a8a617153780a7064e1668254732194abdce67ca378ce1a10972de
SHA512 5c26e88b27346425bf116909c36c76d461d7efbe63782b15b88714710994dd8b4d9c6f11afd21b00512aac688533c35b06b60aa9066fd6cd267640d772311a81

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 63dcd29a919c0f5984a76f4d6ab2c268
SHA1 8ca07e45f2d0c58db2e29d30ac7b462297fe7381
SHA256 31f9218ddf828232a2a97714ca882321549dd60d6dcd5f9986d1b79d67d5e9d7
SHA512 0d42e9fd1198b64fc537ab1c3a6f769eb771d4223e9ed2b13423876b25b0d77f9c7b825c17042d813f8a5b650be18d54efd319b844609bfeab5e10d8c770d200

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7efe3dcfc44ec6eff654ff6be73b68f7
SHA1 00695f0cde680acdb87569330639ab786adcdf74
SHA256 5cea2001ac305fcc2097c7bf265313d52eb735d9a50f85f17411d6a74525c8cb
SHA512 6a55a971cdd27006ce4d822958372afb313940f63685355c583a1dc5a347e0f975265b3b1699b484be0fc7055d60f654c69057d0866e6dccd29b1e2766d7a7ff

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c816945e053b0868b37d6674fef9147f
SHA1 adb94b4941a5f8e97e8a78eb352fc5e57ad6736c
SHA256 6347e0823e60fb303a2a7e1caefcd78df5ac4f134a7d9af6788b63bae7c6eea3
SHA512 35583866a9c77c452ec804629f9269f7cc6b70a13a86239ec891ad8e15c1c298baccdb1fa387445a1d3d3fdece162119304601d509d4d8e3332dc4b5fa0ba440

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c6c6846c392b8573529c43c3e5a5b397
SHA1 6d4c1f165d30717a49d3f6de5c7fe4bed15f71b0
SHA256 2671943a28d9e6812c1d889adcfcb567cfd8fe6dec9ebc8dac83513de8dad54f
SHA512 57a6c3331dd40072b891d0211dbc34aea41c93274faf14025ff5b6fd41ebd65bdb48bd68e31bd65e28cb2b514988ecf41a2377d88e16a670c2dc49fccb37d60d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e70d6a5c0fdc2132d1e4aa5283c00149
SHA1 28cbba89796179437c8f04267d7fd434fe47181b
SHA256 7cc9a3d6a34b35d6172aefd7a852dc61b0030cc05276988fd9f2b1b4077dda44
SHA512 c83a6d312491f7e9c662a4dc8ac58db5c3075bc87712f82e9f7b362248142b622afb03b4a005b040fe84bdf494b4fbc19abe4e3635eeb8c1d19e250f698679ab

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7c8d17420067db13c2bbdbea6cdb6386
SHA1 d0fddaf53de5895dcbe4fe8c53c566aee3b9989d
SHA256 a0e8371ca17e6a1366f8f40fb8517e06e64bab9a06067e2797fc691611ceea6c
SHA512 475a50e07da6378e6c049584ce95a5828280768cd7948c2823fcd2be564baeae18cedb503f67b76b7c755734924f3663b7d15458e14e40313da2f1e3ef71777a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8dfbd00b318aef984f4b020314b6d552
SHA1 ab175c60b9a9031c55af3a480bcfff7f2a94dd8f
SHA256 b21fbae044f039ca610f9983277aed0d49c159bb39161e815e7e773b0be3d42b
SHA512 171770cc8c9c24273bfd5b401d562e5ba4468a6c2552b642202a0e85ce5bb3bb81268019b83d37526ba953925a52cd3019df1456976ef747eaa487634352d947

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f7e42f0e9eca38a7aba1269ee9f59616
SHA1 5ec434637b96e13990084268507d79e908f3545a
SHA256 c3595336ae3c25ee14dba8475070f131fa8bc98725605cb5e1330b8f101a15a9
SHA512 7fb68ca125029ee1f7d62ff5c1ae7470a64be94bd83818ecbf2996d38db51972528ff0a8fe8dcd08176ea98f4919275c1635cea3f9bf6de35614401c42ba0401

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1cf8d6c03946836b98a9d30a656cc35c
SHA1 fac605b42d1598ac06541a72ad73d56cb23eac35
SHA256 3c2ade960882acf4dbec491587851fbb50327ff549b890cef88d2b4e773cfef1
SHA512 be2889e03710620ae9b1d8e84d7e3c3a7a5cd221a1b8354a83c3f394e58b359f77c3746b002d99fb4b770f729ec427894c0b3ee8d6ec1dc8f5b41238867ee506

memory/2016-1564-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cb57f1a13d106420d6c0dfdd43760c1c
SHA1 d71813728ef84854649248667566f60fb27713f7
SHA256 2877e61cfbc145e7effbdcfa173bdf2ebac10374f6f395318e956bf0d712e030
SHA512 385b85ad496ef726e6b7e32ad43cca48cf47616a0789643ea20822f95d128bf5b21559fdc8a9dc2f1fe2027d45016d49cb720cd19f298a969bbc2d9f71bc42e2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e509aa6ec297137996f130b9f2bd7ba4
SHA1 72be74c9ffa744d87701078eddb44131340266dc
SHA256 dbec19a107d87a320df4494d7d2ae56f317e2bf44797707332337ad5ab6c2716
SHA512 c34e50cf9c013222146e7858323c3a2273c1be3ca439d6076c49b04b997cfb484d39d88be231063b756090f572b9f2f18c3f20ff346ed87d9eb2df27672d053e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 43f12a585ee651bd37a38cc8428955ef
SHA1 ebc798b92b33b16e63e5621d4b5cf199291b4dcd
SHA256 1ac619beae6a6fd7e1a011abdd58778ecba72658312d4dce1364d62e802fafc0
SHA512 0a9c624449be4a6bb268427b784b03726fb61e8e8c7c9ad42433bfd3654b19019d3eed2b92d91cfc2c140a7f75d9db2c13425e4bd21771a9c813fc060e6d88b3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 017dbde9b35e6d7f3b10d50028b5c08f
SHA1 0df4dcbe61b73f248d84815161331cda37c29869
SHA256 c79be13756d623d68d52de3ff549d262d76e0f37d14813778edef62dd9027bb4
SHA512 629c3c1aa355652db787e3fa08001e9dc18abcb687c08d9f7ebec83aa473168537df4ac8a014355353e2c72102eb96ac22a8ae87a873d237fa688d4cebd6cf41

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ee4d7b6598efcf57111710db1dfed06b
SHA1 ed31d051b629525b046d681f6c1c9ec7953b435c
SHA256 60ce0c94e8d9db938aa3ee475c9672a5ccf18b73c02aaeac09e16322b40e8db1
SHA512 8cdd193491698897c401b9d056bf2266bce79d0bec44ea97e607f8ce12003f9f3bca9b8693a1fe4b63efce014c082f9f0e833068334f168df92f357325588aca

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 612ff1caa6186ffe1bd464a8d0a77488
SHA1 d4a8d2d36a8a346f3c6fd9325a1b706af888eca8
SHA256 d7db7b7d2037dfe0417947f6f9e318e2d0751f50c1eae0b3c0b843676121acfd
SHA512 2430eae876cf727a2bf1b2795a3063a9bf95c93143ebd9d86807540126f9c67221a49a8971fee6e46bc8ed7fd01373469364d744336e468a36eb6486645d97b2

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-20 04:24

Reported

2024-03-20 04:27

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C}\StubPath = "C:\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C} C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C}\StubPath = "C:\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C} C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\install\server.exe N/A
N/A N/A C:\install\server.exe N/A
N/A N/A C:\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\install\server.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3476 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3476 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3476 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3476 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3476 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3476 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3476 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 3476 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 4788 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 4788 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 4788 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 4788 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 4788 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 4788 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 4788 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 4788 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 4788 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 4788 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 4788 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 4788 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 4788 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE
PID 1088 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe"

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe"

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0.exe"

C:\install\server.exe

"C:\install\server.exe"

C:\install\server.exe

"C:\install\server.exe"

C:\install\server.exe

"C:\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/4788-2-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4788-4-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1088-7-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1088-8-0x0000000000400000-0x000000000044F000-memory.dmp

memory/4788-10-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1088-9-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1088-12-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1088-16-0x0000000010410000-0x0000000010475000-memory.dmp

memory/1396-20-0x0000000000690000-0x0000000000691000-memory.dmp

memory/1396-21-0x0000000000750000-0x0000000000751000-memory.dmp

memory/1396-81-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 cdbb904cc101a0c9b9b6eb4fec6eb42d
SHA1 80b540a4ad114766b9f12e66c10742dcf7be1728
SHA256 62b9bdae7a4a088322e06744e99ad833a9731eeed9b9282a0d4396f5a9b9dbd5
SHA512 a073f3d7a8c13c5469265b3b092b44ec4cb350fbc0e2ee3297fc6fc2e040b694fee34f39001c9eceacffa59d18aa6d29a927278da19c5bbdb2f2a8b72bb964e8

C:\install\server.exe

MD5 d7e1163e330ad9205fc1da6476656dd0
SHA1 895d3dda522229f5647c091438b5962901a312da
SHA256 b41ba7121c306936cf7ef9a834b0d81d8432e8ce6d43e406dff381142965ac4b
SHA512 425598727453113486eec90457e7a3794c3ce047639a7416feaeb52d37ec309dbc0a0470b6646fa2c6d5012e32d34c4f2650471b19b39382fe84487147b8c368

memory/3480-151-0x0000000010560000-0x00000000105C5000-memory.dmp

memory/1088-153-0x0000000000400000-0x000000000044F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2508-179-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2508-187-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4776-188-0x0000000000400000-0x000000000044F000-memory.dmp

memory/4776-191-0x0000000000400000-0x000000000044F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5a5f847995e4a18a53a1de67011810ae
SHA1 589b4f1d3e99b339a39f48575f99ceba58e7e8b7
SHA256 ac90809de9da5fb1e5fcfc8913cb0d7babf8087a2d74947e91febe36b977861f
SHA512 3c2a1c1c23452546bb88785f6c94c19b237c3d51cb9012d1c71026daa0ce2b0302d2d84e42f073725968a445aceaa2f4c17d3a3964438da0de4c2419ebd4a06d

memory/1396-288-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b028d5f8e4316cfb84f44af1204a88ec
SHA1 60fc312414e5956b1a803279e811a5ce70b4b3c2
SHA256 1a06988e087b3cee74da3163f61a6114f87f6a5a350f677fe054c116104f8c47
SHA512 64093e0c0304477da44391b397e7492f8d3d9f04295e2baa2757878dc09e705f6f383e2e2f8a855c5f992441bb314d500fb5d80f2cbace6a932a3927c3559dd8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fd520b4213b7939bc6f79509b2446ee8
SHA1 291feb5616ee9efbcaa7d8a94615366bced49a91
SHA256 4d3834e597678b5d38cb51185dd8599f51de40bcc1d92cf5e956a3e36a64056f
SHA512 d21bf7714bed70b3c8db397b17914bc0f7f961e6b98a3006ce979f96e8052e034d8979040b4b5c01cc3fd9ec5f67722daac15dd812c5c22d8b147b58f2dbceaa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d413f994cee555f60474c9a965882523
SHA1 8d46c1d9687b24bcba1fe987fd859ab9bf2c73a5
SHA256 dd919b991b066c8c07bd94cf46e36d03eca11dba4b512c9c73ac25ccff75d5c8
SHA512 fdbe892b6cb2d23a5286f21a7ffc84be80ea516c74c5efbc4d76b26711eee14412b5accd4f26ee55b4a47b69b3e7c81c855145547b1a3cb7fb961c0346de7e09

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f48fd748513cfc3a7014b86ef62130f0
SHA1 fceae2db7f70c5acf40bf5eb560cb61748c9fa72
SHA256 44c39c8b41a8a617153780a7064e1668254732194abdce67ca378ce1a10972de
SHA512 5c26e88b27346425bf116909c36c76d461d7efbe63782b15b88714710994dd8b4d9c6f11afd21b00512aac688533c35b06b60aa9066fd6cd267640d772311a81

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 63dcd29a919c0f5984a76f4d6ab2c268
SHA1 8ca07e45f2d0c58db2e29d30ac7b462297fe7381
SHA256 31f9218ddf828232a2a97714ca882321549dd60d6dcd5f9986d1b79d67d5e9d7
SHA512 0d42e9fd1198b64fc537ab1c3a6f769eb771d4223e9ed2b13423876b25b0d77f9c7b825c17042d813f8a5b650be18d54efd319b844609bfeab5e10d8c770d200

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7efe3dcfc44ec6eff654ff6be73b68f7
SHA1 00695f0cde680acdb87569330639ab786adcdf74
SHA256 5cea2001ac305fcc2097c7bf265313d52eb735d9a50f85f17411d6a74525c8cb
SHA512 6a55a971cdd27006ce4d822958372afb313940f63685355c583a1dc5a347e0f975265b3b1699b484be0fc7055d60f654c69057d0866e6dccd29b1e2766d7a7ff

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c816945e053b0868b37d6674fef9147f
SHA1 adb94b4941a5f8e97e8a78eb352fc5e57ad6736c
SHA256 6347e0823e60fb303a2a7e1caefcd78df5ac4f134a7d9af6788b63bae7c6eea3
SHA512 35583866a9c77c452ec804629f9269f7cc6b70a13a86239ec891ad8e15c1c298baccdb1fa387445a1d3d3fdece162119304601d509d4d8e3332dc4b5fa0ba440

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c6c6846c392b8573529c43c3e5a5b397
SHA1 6d4c1f165d30717a49d3f6de5c7fe4bed15f71b0
SHA256 2671943a28d9e6812c1d889adcfcb567cfd8fe6dec9ebc8dac83513de8dad54f
SHA512 57a6c3331dd40072b891d0211dbc34aea41c93274faf14025ff5b6fd41ebd65bdb48bd68e31bd65e28cb2b514988ecf41a2377d88e16a670c2dc49fccb37d60d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e70d6a5c0fdc2132d1e4aa5283c00149
SHA1 28cbba89796179437c8f04267d7fd434fe47181b
SHA256 7cc9a3d6a34b35d6172aefd7a852dc61b0030cc05276988fd9f2b1b4077dda44
SHA512 c83a6d312491f7e9c662a4dc8ac58db5c3075bc87712f82e9f7b362248142b622afb03b4a005b040fe84bdf494b4fbc19abe4e3635eeb8c1d19e250f698679ab

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7c8d17420067db13c2bbdbea6cdb6386
SHA1 d0fddaf53de5895dcbe4fe8c53c566aee3b9989d
SHA256 a0e8371ca17e6a1366f8f40fb8517e06e64bab9a06067e2797fc691611ceea6c
SHA512 475a50e07da6378e6c049584ce95a5828280768cd7948c2823fcd2be564baeae18cedb503f67b76b7c755734924f3663b7d15458e14e40313da2f1e3ef71777a

memory/3480-1189-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8dfbd00b318aef984f4b020314b6d552
SHA1 ab175c60b9a9031c55af3a480bcfff7f2a94dd8f
SHA256 b21fbae044f039ca610f9983277aed0d49c159bb39161e815e7e773b0be3d42b
SHA512 171770cc8c9c24273bfd5b401d562e5ba4468a6c2552b642202a0e85ce5bb3bb81268019b83d37526ba953925a52cd3019df1456976ef747eaa487634352d947

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f7e42f0e9eca38a7aba1269ee9f59616
SHA1 5ec434637b96e13990084268507d79e908f3545a
SHA256 c3595336ae3c25ee14dba8475070f131fa8bc98725605cb5e1330b8f101a15a9
SHA512 7fb68ca125029ee1f7d62ff5c1ae7470a64be94bd83818ecbf2996d38db51972528ff0a8fe8dcd08176ea98f4919275c1635cea3f9bf6de35614401c42ba0401

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1cf8d6c03946836b98a9d30a656cc35c
SHA1 fac605b42d1598ac06541a72ad73d56cb23eac35
SHA256 3c2ade960882acf4dbec491587851fbb50327ff549b890cef88d2b4e773cfef1
SHA512 be2889e03710620ae9b1d8e84d7e3c3a7a5cd221a1b8354a83c3f394e58b359f77c3746b002d99fb4b770f729ec427894c0b3ee8d6ec1dc8f5b41238867ee506

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cb57f1a13d106420d6c0dfdd43760c1c
SHA1 d71813728ef84854649248667566f60fb27713f7
SHA256 2877e61cfbc145e7effbdcfa173bdf2ebac10374f6f395318e956bf0d712e030
SHA512 385b85ad496ef726e6b7e32ad43cca48cf47616a0789643ea20822f95d128bf5b21559fdc8a9dc2f1fe2027d45016d49cb720cd19f298a969bbc2d9f71bc42e2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e509aa6ec297137996f130b9f2bd7ba4
SHA1 72be74c9ffa744d87701078eddb44131340266dc
SHA256 dbec19a107d87a320df4494d7d2ae56f317e2bf44797707332337ad5ab6c2716
SHA512 c34e50cf9c013222146e7858323c3a2273c1be3ca439d6076c49b04b997cfb484d39d88be231063b756090f572b9f2f18c3f20ff346ed87d9eb2df27672d053e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 43f12a585ee651bd37a38cc8428955ef
SHA1 ebc798b92b33b16e63e5621d4b5cf199291b4dcd
SHA256 1ac619beae6a6fd7e1a011abdd58778ecba72658312d4dce1364d62e802fafc0
SHA512 0a9c624449be4a6bb268427b784b03726fb61e8e8c7c9ad42433bfd3654b19019d3eed2b92d91cfc2c140a7f75d9db2c13425e4bd21771a9c813fc060e6d88b3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 017dbde9b35e6d7f3b10d50028b5c08f
SHA1 0df4dcbe61b73f248d84815161331cda37c29869
SHA256 c79be13756d623d68d52de3ff549d262d76e0f37d14813778edef62dd9027bb4
SHA512 629c3c1aa355652db787e3fa08001e9dc18abcb687c08d9f7ebec83aa473168537df4ac8a014355353e2c72102eb96ac22a8ae87a873d237fa688d4cebd6cf41