Malware Analysis Report

2025-06-16 00:59

Sample ID 220919-clk72afhdm
Target 6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e
SHA256 6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e
Tags
cybergate vítima persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e

Threat Level: Known bad

The file 6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e was found to be: Known bad.

Malicious Activity Summary

cybergate vítima persistence stealer trojan upx

CyberGate, Rebhip

Modifies Installed Components in the registry

UPX packed file

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

Checks BIOS information in registry

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-19 02:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-19 02:09

Reported

2022-09-19 03:10

Platform

win7-20220812-en

Max time kernel

150s

Max time network

62s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\install\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\install\server.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\RTFClassName\WrdPrfctDos C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174} C:\Windows\SysWOW64\install\server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174} C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\RTFClassName C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\RTFClassName\ = "WrdPrfctDos" C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1672 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1672 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1672 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1672 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1672 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1672 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1672 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe

"C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe"

C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe

"C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 macaracar40.no-ip.info udp

Files

memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

memory/1672-55-0x0000000001D00000-0x0000000001D48000-memory.dmp

memory/944-62-0x0000000000400000-0x0000000000458000-memory.dmp

memory/944-63-0x0000000000400000-0x0000000000458000-memory.dmp

memory/944-65-0x0000000000400000-0x0000000000458000-memory.dmp

memory/944-66-0x0000000000400000-0x0000000000458000-memory.dmp

memory/944-67-0x0000000000455EE0-mapping.dmp

memory/1672-69-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/1672-70-0x0000000001D01000-0x0000000001D2F000-memory.dmp

memory/944-71-0x0000000000400000-0x0000000000458000-memory.dmp

memory/944-73-0x0000000000400000-0x0000000000458000-memory.dmp

memory/944-74-0x0000000000400000-0x0000000000458000-memory.dmp

memory/944-75-0x0000000000400000-0x0000000000458000-memory.dmp

memory/944-77-0x0000000024010000-0x0000000024072000-memory.dmp

memory/536-81-0x0000000000000000-mapping.dmp

memory/944-83-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/536-86-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/536-89-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/944-88-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 ffc4a8e3c1c9815878119da76433940d
SHA1 2b59cbc49e836df01c43290f99cc9612edd6dea3
SHA256 a0b5e8f29b262a2e0d98e57a143969a2e5fe4f47ab7293b324eb9107b533bf77
SHA512 048c2d60fa100c60df602db71c5160a2ee4a90a93e3e13be78dace4129afe32affcefe1f3887a9635bc230134900a40bc3c3ff3a41665752f2781ec70a7dcd17

C:\Windows\SysWOW64\install\server.exe

MD5 da6c55b1b2a21e22bb4c74e8bae276e8
SHA1 1b0f513100fe2f8cef54bc1e54638a701c51f74f
SHA256 6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e
SHA512 b1611dc3100957d7658cecfe9ad53207fbac37a9035857c0639a321e307d63ecfe4308ec7f6150c64a104c82b711b0e150152543d1e824790a77b5c9260d7e54

\Windows\SysWOW64\install\server.exe

MD5 da6c55b1b2a21e22bb4c74e8bae276e8
SHA1 1b0f513100fe2f8cef54bc1e54638a701c51f74f
SHA256 6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e
SHA512 b1611dc3100957d7658cecfe9ad53207fbac37a9035857c0639a321e307d63ecfe4308ec7f6150c64a104c82b711b0e150152543d1e824790a77b5c9260d7e54

memory/536-94-0x0000000004D20000-0x0000000004DC5000-memory.dmp

memory/536-93-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/536-95-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/1676-97-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 da6c55b1b2a21e22bb4c74e8bae276e8
SHA1 1b0f513100fe2f8cef54bc1e54638a701c51f74f
SHA256 6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e
SHA512 b1611dc3100957d7658cecfe9ad53207fbac37a9035857c0639a321e307d63ecfe4308ec7f6150c64a104c82b711b0e150152543d1e824790a77b5c9260d7e54

\Windows\SysWOW64\install\server.exe

MD5 da6c55b1b2a21e22bb4c74e8bae276e8
SHA1 1b0f513100fe2f8cef54bc1e54638a701c51f74f
SHA256 6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e
SHA512 b1611dc3100957d7658cecfe9ad53207fbac37a9035857c0639a321e307d63ecfe4308ec7f6150c64a104c82b711b0e150152543d1e824790a77b5c9260d7e54

memory/1676-100-0x00000000003B0000-0x00000000003F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5C4E791B.TMP

MD5 160403db861be5c03b40f106d12dd7d7
SHA1 999aab37d39df860713b668567b74f40d68ff462
SHA256 cf3cc6edfb9ed488eed94efe1f379e165501197b90de7df5041c77dd86db2427
SHA512 8c911466ae2deba94f1e94209f6319fd82dd23f33a91d108e59e2f77e27abcf506744d4934d70c5082678408a31bca1255bd48c2ecc6aec16b2c66ae02ba84c1

memory/1924-113-0x0000000000455EE0-mapping.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 da6c55b1b2a21e22bb4c74e8bae276e8
SHA1 1b0f513100fe2f8cef54bc1e54638a701c51f74f
SHA256 6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e
SHA512 b1611dc3100957d7658cecfe9ad53207fbac37a9035857c0639a321e307d63ecfe4308ec7f6150c64a104c82b711b0e150152543d1e824790a77b5c9260d7e54

memory/1676-116-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/1676-117-0x00000000003B1000-0x00000000003DF000-memory.dmp

memory/1924-119-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1924-120-0x0000000000400000-0x0000000000458000-memory.dmp

memory/536-121-0x0000000004D20000-0x0000000004DC5000-memory.dmp

memory/1924-122-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1924-123-0x0000000000400000-0x0000000000458000-memory.dmp

memory/536-124-0x0000000024080000-0x00000000240E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-19 02:09

Reported

2022-09-19 03:11

Platform

win10v2004-20220812-en

Max time kernel

154s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\install\server.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\install\server.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\install\server.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174} C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\ = "RASGCW Auto Trigger Control Page Class" C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocServer32\ = "%systemroot%\\SysWow64\\rasgcw.dll" C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174} C:\Windows\SysWOW64\install\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1816 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1816 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1816 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1816 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1816 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1816 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 1816 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4412 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe

"C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe"

C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe

"C:\Users\Admin\AppData\Local\Temp\6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2748 -ip 2748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 692

Network

Country Destination Domain Proto
US 8.238.20.126:80 tcp
US 8.238.20.126:80 tcp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.253.208.120:80 tcp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp

Files

memory/1816-133-0x0000000000580000-0x00000000005C8000-memory.dmp

memory/1816-138-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/1816-139-0x0000000000581000-0x00000000005AF000-memory.dmp

memory/1816-140-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/1816-143-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/4412-144-0x0000000000000000-mapping.dmp

memory/4412-145-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1816-148-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/4412-149-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4412-152-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4412-153-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4412-155-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4628-159-0x0000000000000000-mapping.dmp

memory/4412-161-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4412-165-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4628-164-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 ffc4a8e3c1c9815878119da76433940d
SHA1 2b59cbc49e836df01c43290f99cc9612edd6dea3
SHA256 a0b5e8f29b262a2e0d98e57a143969a2e5fe4f47ab7293b324eb9107b533bf77
SHA512 048c2d60fa100c60df602db71c5160a2ee4a90a93e3e13be78dace4129afe32affcefe1f3887a9635bc230134900a40bc3c3ff3a41665752f2781ec70a7dcd17

C:\Windows\SysWOW64\install\server.exe

MD5 da6c55b1b2a21e22bb4c74e8bae276e8
SHA1 1b0f513100fe2f8cef54bc1e54638a701c51f74f
SHA256 6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e
SHA512 b1611dc3100957d7658cecfe9ad53207fbac37a9035857c0639a321e307d63ecfe4308ec7f6150c64a104c82b711b0e150152543d1e824790a77b5c9260d7e54

memory/4628-168-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/4628-169-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 da6c55b1b2a21e22bb4c74e8bae276e8
SHA1 1b0f513100fe2f8cef54bc1e54638a701c51f74f
SHA256 6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e
SHA512 b1611dc3100957d7658cecfe9ad53207fbac37a9035857c0639a321e307d63ecfe4308ec7f6150c64a104c82b711b0e150152543d1e824790a77b5c9260d7e54

memory/1404-170-0x0000000000000000-mapping.dmp

memory/1404-173-0x00000000004B0000-0x00000000004F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5C4E791B.TMP

MD5 e0a1a61c6f94ef5d4835852d5cd1c3a2
SHA1 82132f0182430d5761de661ee9f31797d1ac1890
SHA256 4657c6d6e0fdfdce3ef6ae0974438e78702e0eb55d9172142747ab950e1cbcbd
SHA512 3c70d0fde969c081441e50c0f8d456f60ee0dd638da1bf34607befd98c6bc7c67b6a0eb8e4721b663801b400e8f13aa70f6efd38a41cae34f09f2f5856f434d6

memory/2748-181-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 da6c55b1b2a21e22bb4c74e8bae276e8
SHA1 1b0f513100fe2f8cef54bc1e54638a701c51f74f
SHA256 6af9c00c9e02b21d3077bc54f438fa6faab0d653a6d7533bb8355819ca53eb3e
SHA512 b1611dc3100957d7658cecfe9ad53207fbac37a9035857c0639a321e307d63ecfe4308ec7f6150c64a104c82b711b0e150152543d1e824790a77b5c9260d7e54

memory/1404-186-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/2748-188-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1404-187-0x00000000004B1000-0x00000000004DF000-memory.dmp

memory/2748-191-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2748-192-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4628-193-0x0000000024080000-0x00000000240E2000-memory.dmp