Malware Analysis Report

2025-06-16 00:59

Sample ID 220919-ccrnfsfecm
Target 15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2
SHA256 15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2
Tags
cybergate vítima persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2

Threat Level: Known bad

The file 15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2 was found to be: Known bad.

Malicious Activity Summary

cybergate vítima persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-19 01:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-19 01:56

Reported

2022-09-19 02:54

Platform

win7-20220901-en

Max time kernel

152s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\install\server.exe N/A
N/A N/A C:\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{01G4M1ID-4XB4-422K-5I1E-85E0M7543HJA} C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01G4M1ID-4XB4-422K-5I1E-85E0M7543HJA}\StubPath = "C:\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A
N/A N/A C:\install\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 1752 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 1752 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 1752 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 1752 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 1752 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 1752 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 1752 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe

"C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe"

C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe

C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe

"C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe"

C:\install\server.exe

"C:\install\server.exe"

C:\install\server.exe

C:\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 dansla.no-ip.org udp

Files

memory/1752-56-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1540-57-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1540-58-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1540-60-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1540-61-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1540-62-0x0000000000455BE0-mapping.dmp

memory/1752-64-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1540-65-0x0000000075111000-0x0000000075113000-memory.dmp

memory/1540-66-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1540-67-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1540-68-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1540-70-0x0000000024010000-0x0000000024072000-memory.dmp

memory/576-74-0x0000000000000000-mapping.dmp

memory/1540-76-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/576-79-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/576-82-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1540-81-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 2af930e3b6300a7e89ec551951853ba8
SHA1 a2a1bf6dc739a1b3483b0ae353187354c452bd55
SHA256 a1d2036e5d1b3c2c509f4d43739878844bb2103331bdd710433bb8ca3d23e090
SHA512 490e0fe0baaf9b15e102321e4964d38cc35d07d911ed2fc1e96f555f8f16478799da4186b4ead1e8cbbdddef0bf43de9fb787f62d63cf0e5728b7020614913b6

memory/576-84-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/576-85-0x0000000000400000-0x0000000000469000-memory.dmp

C:\install\server.exe

MD5 6025e55ca26c01da1ddcc0d26dd9c3a8
SHA1 548b69f40d56b23262323e238bc3d264be2499dc
SHA256 15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2
SHA512 c79851f467bfb01bc16e5c9c466d73f6ce5fc64ee22286c049aa5f64f3137dae248727b28ae6b64d70deb2a3249bc6efe622b08fba003859caa2b7bfc33ba4d5

\install\server.exe

MD5 6025e55ca26c01da1ddcc0d26dd9c3a8
SHA1 548b69f40d56b23262323e238bc3d264be2499dc
SHA256 15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2
SHA512 c79851f467bfb01bc16e5c9c466d73f6ce5fc64ee22286c049aa5f64f3137dae248727b28ae6b64d70deb2a3249bc6efe622b08fba003859caa2b7bfc33ba4d5

memory/1948-88-0x0000000000000000-mapping.dmp

C:\install\server.exe

MD5 6025e55ca26c01da1ddcc0d26dd9c3a8
SHA1 548b69f40d56b23262323e238bc3d264be2499dc
SHA256 15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2
SHA512 c79851f467bfb01bc16e5c9c466d73f6ce5fc64ee22286c049aa5f64f3137dae248727b28ae6b64d70deb2a3249bc6efe622b08fba003859caa2b7bfc33ba4d5

memory/1532-97-0x0000000000455BE0-mapping.dmp

C:\install\server.exe

MD5 6025e55ca26c01da1ddcc0d26dd9c3a8
SHA1 548b69f40d56b23262323e238bc3d264be2499dc
SHA256 15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2
SHA512 c79851f467bfb01bc16e5c9c466d73f6ce5fc64ee22286c049aa5f64f3137dae248727b28ae6b64d70deb2a3249bc6efe622b08fba003859caa2b7bfc33ba4d5

memory/1948-101-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1532-102-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1532-103-0x0000000000400000-0x0000000000457000-memory.dmp

memory/576-104-0x0000000004D90000-0x0000000004DF9000-memory.dmp

memory/1532-105-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1532-106-0x0000000000400000-0x0000000000457000-memory.dmp

memory/576-107-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/576-108-0x0000000004D90000-0x0000000004DF9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-19 01:56

Reported

2022-09-19 02:55

Platform

win10v2004-20220812-en

Max time kernel

154s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\install\server.exe N/A
N/A N/A C:\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{01G4M1ID-4XB4-422K-5I1E-85E0M7543HJA} C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01G4M1ID-4XB4-422K-5I1E-85E0M7543HJA}\StubPath = "C:\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\install\server.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe N/A
N/A N/A C:\install\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4216 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 4216 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 4216 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 4216 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 4216 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 4216 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 4216 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 4216 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3624 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe

"C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe"

C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe

C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe

"C:\Users\Admin\AppData\Local\Temp\15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2.exe"

C:\install\server.exe

"C:\install\server.exe"

C:\install\server.exe

C:\install\server.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1856 -ip 1856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 508

Network

Country Destination Domain Proto
US 52.168.117.170:443 tcp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp
US 8.8.8.8:53 dansla.no-ip.org udp

Files

memory/4216-132-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3624-135-0x0000000000000000-mapping.dmp

memory/3624-136-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4216-139-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3624-138-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3624-140-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3624-141-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3624-143-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1440-147-0x0000000000000000-mapping.dmp

memory/1440-148-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3624-149-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1440-152-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1440-153-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3624-154-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 2af930e3b6300a7e89ec551951853ba8
SHA1 a2a1bf6dc739a1b3483b0ae353187354c452bd55
SHA256 a1d2036e5d1b3c2c509f4d43739878844bb2103331bdd710433bb8ca3d23e090
SHA512 490e0fe0baaf9b15e102321e4964d38cc35d07d911ed2fc1e96f555f8f16478799da4186b4ead1e8cbbdddef0bf43de9fb787f62d63cf0e5728b7020614913b6

C:\install\server.exe

MD5 6025e55ca26c01da1ddcc0d26dd9c3a8
SHA1 548b69f40d56b23262323e238bc3d264be2499dc
SHA256 15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2
SHA512 c79851f467bfb01bc16e5c9c466d73f6ce5fc64ee22286c049aa5f64f3137dae248727b28ae6b64d70deb2a3249bc6efe622b08fba003859caa2b7bfc33ba4d5

memory/4240-157-0x0000000000000000-mapping.dmp

C:\install\server.exe

MD5 6025e55ca26c01da1ddcc0d26dd9c3a8
SHA1 548b69f40d56b23262323e238bc3d264be2499dc
SHA256 15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2
SHA512 c79851f467bfb01bc16e5c9c466d73f6ce5fc64ee22286c049aa5f64f3137dae248727b28ae6b64d70deb2a3249bc6efe622b08fba003859caa2b7bfc33ba4d5

memory/1856-161-0x0000000000000000-mapping.dmp

memory/1856-165-0x0000000000400000-0x0000000000457000-memory.dmp

C:\install\server.exe

MD5 6025e55ca26c01da1ddcc0d26dd9c3a8
SHA1 548b69f40d56b23262323e238bc3d264be2499dc
SHA256 15c538e41dee23fcccca4ded334e4df760cdaf597d64ff90cdaa5b0b42ee74b2
SHA512 c79851f467bfb01bc16e5c9c466d73f6ce5fc64ee22286c049aa5f64f3137dae248727b28ae6b64d70deb2a3249bc6efe622b08fba003859caa2b7bfc33ba4d5

memory/1856-166-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4240-167-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1856-168-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1440-169-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1856-170-0x0000000000400000-0x0000000000457000-memory.dmp