Malware Analysis Report

2025-01-02 14:08

Sample ID 240903-3f7f7azeqr
Target cb44cafd8070323fe108f19c9afcae10N.exe
SHA256 2324baf9b9e29806f6e4346c5ab351acd474b182aa138d87ca4ccdca701a75c0
Tags
cybergate remote discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2324baf9b9e29806f6e4346c5ab351acd474b182aa138d87ca4ccdca701a75c0

Threat Level: Known bad

The file cb44cafd8070323fe108f19c9afcae10N.exe was found to be: Known bad.

Malicious Activity Summary

cybergate remote discovery persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-03 23:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-03 23:28

Reported

2024-09-03 23:30

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q} C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q}\StubPath = "C:\\Windows\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
File opened for modification C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
File opened for modification C:\Windows\install\ C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
File created C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\install\server.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 2356 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 2356 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 2356 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 2356 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 2356 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe

"C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe"

C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE

"C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE"

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"

C:\Windows\install\server.exe

"C:\Windows\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1920 -ip 1920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 572

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE

MD5 2f16426a0274725cf8ff7c44ffcbd275
SHA1 fd9937938d814ab83d78983b17f941b4e0139794
SHA256 59e0a784eb6f56e411946e86e015672786d830f69b2fc1f8886692f10f197ac7
SHA512 e6031d309b81b1ee3e88efa3eea80523098d6dda5018949b48ed63682569c776ba3956fd18151fa853b54955f0f248487bd1fff9bdd73d80cbc035229353a014

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

MD5 dde3e497c0924260d286ff11bccbb6ec
SHA1 de0847cca9180e94d0d20fbdaa3e23189f9a4454
SHA256 64e43c1240b8c762720a9e0754cc2fb27a498a444b3918e285ad0ceb598b1962
SHA512 60b874446c4fbdfd0a3bbf05c67105a39e24033834b4af74b1e89438249cca996a073d3aa54bb5711a79300e507590554ea65eb2366ed6b069f72a55c484e364

memory/1548-19-0x0000000000400000-0x0000000000503000-memory.dmp

memory/4708-20-0x00000000736FE000-0x00000000736FF000-memory.dmp

memory/4708-21-0x0000000000200000-0x0000000000276000-memory.dmp

memory/4708-22-0x0000000004C40000-0x0000000004CDC000-memory.dmp

memory/4708-23-0x00000000052A0000-0x0000000005844000-memory.dmp

memory/4708-24-0x0000000004D90000-0x0000000004E22000-memory.dmp

memory/4708-26-0x00000000736F0000-0x0000000073EA0000-memory.dmp

memory/4708-25-0x0000000004D20000-0x0000000004D2A000-memory.dmp

memory/4708-27-0x0000000004F30000-0x0000000004F86000-memory.dmp

memory/4744-36-0x0000000000670000-0x0000000000671000-memory.dmp

memory/4744-35-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/4744-39-0x0000000000400000-0x0000000000503000-memory.dmp

memory/4708-54-0x00000000736FE000-0x00000000736FF000-memory.dmp

memory/1548-34-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/1548-30-0x0000000010410000-0x0000000010475000-memory.dmp

memory/1548-51-0x0000000000400000-0x0000000000503000-memory.dmp

memory/4708-58-0x00000000736F0000-0x0000000073EA0000-memory.dmp

memory/1548-96-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/4744-103-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/1548-102-0x0000000000400000-0x0000000000503000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 b87bf5a04d6f0aa4ead70d655c0af299
SHA1 52160184112c0bec6c539d939d71d6dcef6a07a3
SHA256 9052750374fc200907798ff1b08216b54f0ffc0eaeb56c1f4b609264b9eb6668
SHA512 415fee417e51c8ed741a10130f809e4e83e4c12d70deaa7291418bedc562ed14da800ce66952d9616e76ecbcc7bc2ef3357d231372e47325700c6accafcd5d59

memory/1920-125-0x0000000000400000-0x0000000000503000-memory.dmp

memory/4744-127-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 426016363a3d4b88efe85229b805de8f
SHA1 0f04407a0c56573ae302863083ac8f8176dbe34f
SHA256 f9415d0fb2dda7ba6f791046e1df86e1d2c1e2f053ce64d91f9673c56bee268f
SHA512 c7e4ab8acbbaa28b6b571b4056303f920a4ee97375dca517cdda100c4ef872dfea55479be3121f9a5a8e33d6a15497d90d29b8056bd9ae4830008de666fff3f0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 addd656a883a2d7f9012bc4f6ee4955b
SHA1 480859402ed10ff7f09cb9a73f2506ddd91cd573
SHA256 14cc6f2806b6c5d3ca960ef718495de179d3b8cf30bd9dbc9044b697fe4ccc01
SHA512 01fac61ba8ebfeb853d92f23f7e064e6806c618d51bbc841de8755845639dd4fe0eb532bb2d68fec4ca7526885bf663618f9b55dfb66896c325c30f34f6e535f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 75e48b9b260f8eb417229128177a347e
SHA1 336dd9fa39d8cc9886de62ebd7a09eb8a596844a
SHA256 64810f6f66884990d74e43123659374da8913276a8c4e177238868f595a61d0b
SHA512 ebd0186e8338f8a54b6ef9aad0507f898d46eb6f834a8a36dcfe7e6e4c72c877b21d99d209d83f84b7dc316c005c06044957e63cd5925f3698e3fdf51e2175a8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fa80d6993f410933ec8b4253bb68da36
SHA1 f8614e3a0d6e4a3f0bd2a98eb93ceadc985b1b35
SHA256 fb4e89ac830719c0e40cea3041509a7bf78045b169b682c1f5a735a6c389e1ac
SHA512 a32c5bb1d350849618c649df70f11d85efd467af5716c6d214a44eeaeaa5b1255025b351bfb66f435aa3cb5fef9c04a5f6de02284770ccf0f5389fa85b714a25

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4c42b2a03722b5e207b34ad74384a562
SHA1 35d9ceb2a79c59c1a926f64fba24e7742ff991f9
SHA256 70aaf7bd5f99aecd75046098d7ac698a236cb9ccc17ccea652abc0884e1619b0
SHA512 345b76c055719818e302ec2187699095199e69dfa632986370ffc8cacf0df40ec4749a2498c389f7f9942a485e765b62818d21a4ab8ab6873f3915d632f5a7ab

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b0d50f9792487e0d6523e9c3c8e5373f
SHA1 025a1cf5e7f37b1e121d07ca04c044551687bbdc
SHA256 86376ee210438b923c97f63d168a182daf3ce31b31ce0db323bd61d2090ef51b
SHA512 1921a3dc3231b20a13e8a33781a5d599af5626391da6087bd8c9b31880eb78d8537c9ba11d847a651863afb0d1befdfba2bb294212cc0f4a2b33dec56673d03b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 aeefe99518c7e3e39380be66947a7988
SHA1 490d5a11838f3bc009153214d8794937c6772d0e
SHA256 4adc10fd77d69b0fc61f63bf8de0fa887a544c7ddc6504eaf192d68ae7d5f7e0
SHA512 399e2991c9e7affc2955ce620a4f9e6e23d79eb23c90ad13cb35d68e73f15446ee79a1314f2110c27f7060c2eb32ed2e2022d2326349ee9c93b0c936686fef37

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5b3b177366edabdecd84690131f816f5
SHA1 fe3054ca69df8ee6d24de8cf3cfd5f41923c2ee8
SHA256 53da0acd0189ffae929da254f8d83110fb5f8777deb0c0d1f7c1a144ed6a9aa1
SHA512 c8553c6577ee35eb53e83aad1260353c45cedfeef1430d8517b4a3838012c82bd17fb56bc6096120f7d6bb219e061fb49220bd00fe8e196e5c2fb7ed1904a019

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e49fb63b4cf3f8a8719039acd3deaa94
SHA1 3954e832b31a0b6c0a541ebd1fe3eaf829577bff
SHA256 3fd47994ab496fd8a7d3dddda800aa8f05be82ae415d4f396b98694d3089d962
SHA512 f1d40b2ec5829273abf75544e5ad92ed5b3d527649a0ba6d37653b45f39ffbbefc34742db11d5f97f3e9c5edaf4e18bc6eacd7d1a217979def87a665ca24ce1e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3e26676390fa3627351d0fbb8f46e353
SHA1 7c94c27000ef7a92b53c76f72acf0ee2d08fd8d4
SHA256 23a81b5374f7b1802014ba3482f26c0812adb074c65f695d3f3934dd779712b0
SHA512 274952506df1eb39e75a229956e57fc815b3b045af08de31cd5aa0328b7f2f2520b4d97c10082922e49e1dc7aff385ce9eedba569eca8263a219cf0c694fe76c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 81ecf1fbddba77d670c2c9488179d97b
SHA1 a50d2e0fa34547e20efc24eed3081e7d3dab8536
SHA256 6a1f741ed3b0a5c6026aaddfe7c1b96e5eef590b9f3ff247ded6127710bd2f36
SHA512 0d5625117d7df25de40521cd6ad528a0d1d3fe91e58a1216b2fd7e1d0043ff5a91930b571447597974ea31ae02a19969529affa4d5c612a604ce2a234c224db0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 45d6e25432fea1dc303213f2fd56b5ff
SHA1 8a54ab4996434ca8f7007adfa7d717e9688c8ed1
SHA256 82430f18c39612cb1eb8400aab1f5ba7daba6e63fd356f02e3076e7be71acb4a
SHA512 2901c690c540526197ddd6a0027431f4c65ae9f84a17e001eee9bc71376d1e13d5c38a63c92a976875c01394ca532f95716ae68b25d7a9405ea3dabed4a68cb3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a6b92ddeea7dbbe2c4929222c59ca0b7
SHA1 f52d3d261539873de2a69f2ea757471d2c845dde
SHA256 66bb2965bafe8870369ecd9ad35b6d293705179ae1bf2d70a3b708eecc67cbd5
SHA512 557b3b983f465c95ab0e77a51b8b338618cc7846ae21d7ddee922d6a4ae92861fb60bd30e0b0f8d822a81771da5f34240eb84bf2eb56359ebf00aec28e6ae2c3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ed5cc0f535bcd22dd0f0f699d9607709
SHA1 a31d0da4fa8ef776e0c1b4a5dd6431f801310254
SHA256 7c20395808c8b0563378dd971a318e7c4c2acf59a9cda8b003ebb672e397d362
SHA512 00714ea1893fcfcf4a7e915ce108afc235de2fdec76e31295949b679f8c7d1cf1f4b32344b4e14ae4e3fe1f59cb8f4cdf8d3c116981c2c79cee78c1a4fe70c39

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 434c56917d33209423c40b45c04ea53c
SHA1 a34e10f8baeea55509b64da9054f14ec8c476413
SHA256 65c54d890d894cb7f646e35a5eff190ccc6c2b188e4e85132ca96179f0627c75
SHA512 b9b2812c0da459c49bdf5e2a43901076d6d4cc4823082514032a0cb35ae902026bb93f2082b91163bc7af6d3d1b5bdf8303708957e6f6dac9f3dc2c598b87089

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1207613b3b2d72882f992a520617d077
SHA1 23e3705a2101498153129a3da8e5ed31b13e5195
SHA256 030ea9facac03b4c9040bc227aadcc9ca3ac64f6446dbd8cc1b4ff3ee5d874d8
SHA512 de9c3dd8653851516dcf66407b52bf2a8a5a0ef84597d9534b581212e5cc357936dbae851b6914b2c12a60ea779795e7638223ff859550bd9cd7cbceed2ad44b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5dd9da9f06e47883bfdbb9f182fb6b45
SHA1 7e91f8731ac53e00284dc88ab6e24089c8ddd6da
SHA256 7988279d24384911525f3aa8b819f106bad2b4f72b5b2e8607716a46074fd327
SHA512 7bbc687f40f385d5e56e1576c1c929ca51bb9ca7dd807c4d86055f06599bd2519bb1d34b303e35fb59ab8e1bd595d20bdd35d62ab0143da632cb2f475e5dc18b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d5be616a4b413220ddbd7003f76d48e5
SHA1 794759ae6c10d1a97f6afec7b9f459c7b80d0d40
SHA256 0ae63d59b92d09138e3499dfb52c1cdf9813195197616849a09b9b568592a9d0
SHA512 b7cb3233b78cc9ff0ab2a21cadbff784ded921ef6667b0a4faba36988229b177120a297812dd0bfd7cee6422d6db7c9491d0c886a852c623739df1d1d3f80a7c

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-03 23:28

Reported

2024-09-03 23:30

Platform

win7-20240903-en

Max time kernel

116s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q} C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q}\StubPath = "C:\\Windows\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
File opened for modification C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
File opened for modification C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
File opened for modification C:\Windows\install\ C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2448 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 2448 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 2448 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 2448 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
PID 2448 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 2448 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 2448 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 2448 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\SERVER.EXE C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe

"C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe"

C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE

"C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE"

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"

C:\Windows\install\server.exe

"C:\Windows\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

\Users\Admin\AppData\Local\Temp\RESOLVER.EXE

MD5 2f16426a0274725cf8ff7c44ffcbd275
SHA1 fd9937938d814ab83d78983b17f941b4e0139794
SHA256 59e0a784eb6f56e411946e86e015672786d830f69b2fc1f8886692f10f197ac7
SHA512 e6031d309b81b1ee3e88efa3eea80523098d6dda5018949b48ed63682569c776ba3956fd18151fa853b54955f0f248487bd1fff9bdd73d80cbc035229353a014

\Users\Admin\AppData\Local\Temp\SERVER.EXE

MD5 dde3e497c0924260d286ff11bccbb6ec
SHA1 de0847cca9180e94d0d20fbdaa3e23189f9a4454
SHA256 64e43c1240b8c762720a9e0754cc2fb27a498a444b3918e285ad0ceb598b1962
SHA512 60b874446c4fbdfd0a3bbf05c67105a39e24033834b4af74b1e89438249cca996a073d3aa54bb5711a79300e507590554ea65eb2366ed6b069f72a55c484e364

memory/2448-11-0x0000000002C80000-0x0000000002D83000-memory.dmp

memory/316-17-0x000000007405E000-0x000000007405F000-memory.dmp

memory/316-18-0x0000000000880000-0x00000000008F6000-memory.dmp

memory/2072-23-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2792-43-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2792-46-0x0000000000400000-0x0000000000503000-memory.dmp

memory/2072-44-0x0000000001E20000-0x0000000001F23000-memory.dmp

memory/2792-34-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2792-28-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2072-27-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2072-355-0x0000000000400000-0x0000000000503000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 b87bf5a04d6f0aa4ead70d655c0af299
SHA1 52160184112c0bec6c539d939d71d6dcef6a07a3
SHA256 9052750374fc200907798ff1b08216b54f0ffc0eaeb56c1f4b609264b9eb6668
SHA512 415fee417e51c8ed741a10130f809e4e83e4c12d70deaa7291418bedc562ed14da800ce66952d9616e76ecbcc7bc2ef3357d231372e47325700c6accafcd5d59

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2792-376-0x0000000006140000-0x0000000006243000-memory.dmp

memory/2792-378-0x0000000006140000-0x0000000006243000-memory.dmp

memory/2088-380-0x0000000000400000-0x0000000000503000-memory.dmp

memory/316-381-0x000000007405E000-0x000000007405F000-memory.dmp

memory/2088-383-0x0000000000400000-0x0000000000503000-memory.dmp

memory/2792-384-0x0000000006140000-0x0000000006243000-memory.dmp

memory/2792-385-0x0000000006140000-0x0000000006243000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 955cfa12aa30999581c48866132b1da0
SHA1 1502b04dfbcefd10f0a65ba59df3c88ddb65d7be
SHA256 3836674fa62207b05ed20b0a775fbd29564972c035254b81f63b8afefcaeb743
SHA512 f130978b3badf6be040cb5a8a7ad0f92d013e2ba0ce2283fb5c5cde7185d9fa343fd663ff48731835004cd37e544be74c9e57abd308d6b6512fb7c8ed7e77720

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3fab5a31d90ca41ec04baffc86fdc1fe
SHA1 28875954cf7991b6e3c66528f18a618d67dbdbe1
SHA256 394bf5fc879cc91179561e1dcd453694058f5b0a2ab138b6020c6c58170eba27
SHA512 6041d2e112f7367fdf7af904f0eff00fd66dbdc2deb5bfa96ffde1d9fd09f56d239b062a361b1e1c72b74535ba9a1026d7a30b599cd6b00bc7388bf4a8c455f5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fb4e0cf48aabb84d0bf2ec23638e633f
SHA1 d942c7a0f81007e2692fcc217a6c70ff035e7036
SHA256 a9605b91bddae9d495059f71a324a27956eacf68a65ed204320398b46123e6ec
SHA512 7d85d0d21e1fe87a05ad08bc3f6b60d73c45530ab72a75fbc8217c5c1b411e35aedc2ddd2afa37288c75a9a6b1bef20ec3dd81540da250eb84f93f53b8324d86

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 426016363a3d4b88efe85229b805de8f
SHA1 0f04407a0c56573ae302863083ac8f8176dbe34f
SHA256 f9415d0fb2dda7ba6f791046e1df86e1d2c1e2f053ce64d91f9673c56bee268f
SHA512 c7e4ab8acbbaa28b6b571b4056303f920a4ee97375dca517cdda100c4ef872dfea55479be3121f9a5a8e33d6a15497d90d29b8056bd9ae4830008de666fff3f0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 addd656a883a2d7f9012bc4f6ee4955b
SHA1 480859402ed10ff7f09cb9a73f2506ddd91cd573
SHA256 14cc6f2806b6c5d3ca960ef718495de179d3b8cf30bd9dbc9044b697fe4ccc01
SHA512 01fac61ba8ebfeb853d92f23f7e064e6806c618d51bbc841de8755845639dd4fe0eb532bb2d68fec4ca7526885bf663618f9b55dfb66896c325c30f34f6e535f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 75e48b9b260f8eb417229128177a347e
SHA1 336dd9fa39d8cc9886de62ebd7a09eb8a596844a
SHA256 64810f6f66884990d74e43123659374da8913276a8c4e177238868f595a61d0b
SHA512 ebd0186e8338f8a54b6ef9aad0507f898d46eb6f834a8a36dcfe7e6e4c72c877b21d99d209d83f84b7dc316c005c06044957e63cd5925f3698e3fdf51e2175a8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fa80d6993f410933ec8b4253bb68da36
SHA1 f8614e3a0d6e4a3f0bd2a98eb93ceadc985b1b35
SHA256 fb4e89ac830719c0e40cea3041509a7bf78045b169b682c1f5a735a6c389e1ac
SHA512 a32c5bb1d350849618c649df70f11d85efd467af5716c6d214a44eeaeaa5b1255025b351bfb66f435aa3cb5fef9c04a5f6de02284770ccf0f5389fa85b714a25

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4c42b2a03722b5e207b34ad74384a562
SHA1 35d9ceb2a79c59c1a926f64fba24e7742ff991f9
SHA256 70aaf7bd5f99aecd75046098d7ac698a236cb9ccc17ccea652abc0884e1619b0
SHA512 345b76c055719818e302ec2187699095199e69dfa632986370ffc8cacf0df40ec4749a2498c389f7f9942a485e765b62818d21a4ab8ab6873f3915d632f5a7ab

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b0d50f9792487e0d6523e9c3c8e5373f
SHA1 025a1cf5e7f37b1e121d07ca04c044551687bbdc
SHA256 86376ee210438b923c97f63d168a182daf3ce31b31ce0db323bd61d2090ef51b
SHA512 1921a3dc3231b20a13e8a33781a5d599af5626391da6087bd8c9b31880eb78d8537c9ba11d847a651863afb0d1befdfba2bb294212cc0f4a2b33dec56673d03b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 aeefe99518c7e3e39380be66947a7988
SHA1 490d5a11838f3bc009153214d8794937c6772d0e
SHA256 4adc10fd77d69b0fc61f63bf8de0fa887a544c7ddc6504eaf192d68ae7d5f7e0
SHA512 399e2991c9e7affc2955ce620a4f9e6e23d79eb23c90ad13cb35d68e73f15446ee79a1314f2110c27f7060c2eb32ed2e2022d2326349ee9c93b0c936686fef37

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5b3b177366edabdecd84690131f816f5
SHA1 fe3054ca69df8ee6d24de8cf3cfd5f41923c2ee8
SHA256 53da0acd0189ffae929da254f8d83110fb5f8777deb0c0d1f7c1a144ed6a9aa1
SHA512 c8553c6577ee35eb53e83aad1260353c45cedfeef1430d8517b4a3838012c82bd17fb56bc6096120f7d6bb219e061fb49220bd00fe8e196e5c2fb7ed1904a019

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e49fb63b4cf3f8a8719039acd3deaa94
SHA1 3954e832b31a0b6c0a541ebd1fe3eaf829577bff
SHA256 3fd47994ab496fd8a7d3dddda800aa8f05be82ae415d4f396b98694d3089d962
SHA512 f1d40b2ec5829273abf75544e5ad92ed5b3d527649a0ba6d37653b45f39ffbbefc34742db11d5f97f3e9c5edaf4e18bc6eacd7d1a217979def87a665ca24ce1e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3e26676390fa3627351d0fbb8f46e353
SHA1 7c94c27000ef7a92b53c76f72acf0ee2d08fd8d4
SHA256 23a81b5374f7b1802014ba3482f26c0812adb074c65f695d3f3934dd779712b0
SHA512 274952506df1eb39e75a229956e57fc815b3b045af08de31cd5aa0328b7f2f2520b4d97c10082922e49e1dc7aff385ce9eedba569eca8263a219cf0c694fe76c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 81ecf1fbddba77d670c2c9488179d97b
SHA1 a50d2e0fa34547e20efc24eed3081e7d3dab8536
SHA256 6a1f741ed3b0a5c6026aaddfe7c1b96e5eef590b9f3ff247ded6127710bd2f36
SHA512 0d5625117d7df25de40521cd6ad528a0d1d3fe91e58a1216b2fd7e1d0043ff5a91930b571447597974ea31ae02a19969529affa4d5c612a604ce2a234c224db0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 45d6e25432fea1dc303213f2fd56b5ff
SHA1 8a54ab4996434ca8f7007adfa7d717e9688c8ed1
SHA256 82430f18c39612cb1eb8400aab1f5ba7daba6e63fd356f02e3076e7be71acb4a
SHA512 2901c690c540526197ddd6a0027431f4c65ae9f84a17e001eee9bc71376d1e13d5c38a63c92a976875c01394ca532f95716ae68b25d7a9405ea3dabed4a68cb3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a6b92ddeea7dbbe2c4929222c59ca0b7
SHA1 f52d3d261539873de2a69f2ea757471d2c845dde
SHA256 66bb2965bafe8870369ecd9ad35b6d293705179ae1bf2d70a3b708eecc67cbd5
SHA512 557b3b983f465c95ab0e77a51b8b338618cc7846ae21d7ddee922d6a4ae92861fb60bd30e0b0f8d822a81771da5f34240eb84bf2eb56359ebf00aec28e6ae2c3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ed5cc0f535bcd22dd0f0f699d9607709
SHA1 a31d0da4fa8ef776e0c1b4a5dd6431f801310254
SHA256 7c20395808c8b0563378dd971a318e7c4c2acf59a9cda8b003ebb672e397d362
SHA512 00714ea1893fcfcf4a7e915ce108afc235de2fdec76e31295949b679f8c7d1cf1f4b32344b4e14ae4e3fe1f59cb8f4cdf8d3c116981c2c79cee78c1a4fe70c39

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 434c56917d33209423c40b45c04ea53c
SHA1 a34e10f8baeea55509b64da9054f14ec8c476413
SHA256 65c54d890d894cb7f646e35a5eff190ccc6c2b188e4e85132ca96179f0627c75
SHA512 b9b2812c0da459c49bdf5e2a43901076d6d4cc4823082514032a0cb35ae902026bb93f2082b91163bc7af6d3d1b5bdf8303708957e6f6dac9f3dc2c598b87089

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1207613b3b2d72882f992a520617d077
SHA1 23e3705a2101498153129a3da8e5ed31b13e5195
SHA256 030ea9facac03b4c9040bc227aadcc9ca3ac64f6446dbd8cc1b4ff3ee5d874d8
SHA512 de9c3dd8653851516dcf66407b52bf2a8a5a0ef84597d9534b581212e5cc357936dbae851b6914b2c12a60ea779795e7638223ff859550bd9cd7cbceed2ad44b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5dd9da9f06e47883bfdbb9f182fb6b45
SHA1 7e91f8731ac53e00284dc88ab6e24089c8ddd6da
SHA256 7988279d24384911525f3aa8b819f106bad2b4f72b5b2e8607716a46074fd327
SHA512 7bbc687f40f385d5e56e1576c1c929ca51bb9ca7dd807c4d86055f06599bd2519bb1d34b303e35fb59ab8e1bd595d20bdd35d62ab0143da632cb2f475e5dc18b