Malware Analysis Report

2025-08-10 17:47

Sample ID 221021-sjpqfageel
Target bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577
SHA256 bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577
Tags
upx otario cybergate persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577

Threat Level: Known bad

The file bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577 was found to be: Known bad.

Malicious Activity Summary

upx otario cybergate persistence stealer trojan

Cybergate family

CyberGate, Rebhip

Modifies Installed Components in the registry

Executes dropped EXE

Adds policy Run key to start application

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-21 15:09

Signatures

Cybergate family

cybergate

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-21 15:09

Reported

2022-10-21 15:12

Platform

win7-20220812-en

Max time kernel

152s

Max time network

71s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 1652 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe

"C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe"

C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe

"C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cocoderato.no-ip.biz udp

Files

memory/1652-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

memory/1652-55-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1984-57-0x0000000000000000-mapping.dmp

memory/1652-59-0x0000000000220000-0x0000000000277000-memory.dmp

memory/1984-60-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1652-61-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1984-64-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1984-66-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1652-67-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1984-68-0x0000000024010000-0x0000000024072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 adab3092d4eee0e6a216b57c8042c73d
SHA1 81baf7c2e7c8f6b55baf0bddf299df117c74e6a5
SHA256 c9c9a60293de14a073e7875a4351daad8fb62d68399044c49fb00957186140c7
SHA512 9c9aa60d8e133409cca4d9311ac73e5b3dc62dccef143b4b9f81b44c721ea3f0c2ce44b745cc5b94679a40771c26ff50fe1ef45c8cc0952c219da1d4fb829d9a

C:\Windows\SysWOW64\install\server.exe

MD5 15c629aeebbcba838f665eb0d96dd941
SHA1 21cc9fe5130ab2291926a7e82e51c771f6536ef8
SHA256 bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577
SHA512 2b2b1afcba52d35568ebf1b5270bad4671e2de256f2f19e44fbddd3880aeeaecac9f1c8d78b46875251b5e4e0fe1262ef5f2923d079dbd5b27dc6f14fffe0ca8

\Windows\SysWOW64\install\server.exe

MD5 15c629aeebbcba838f665eb0d96dd941
SHA1 21cc9fe5130ab2291926a7e82e51c771f6536ef8
SHA256 bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577
SHA512 2b2b1afcba52d35568ebf1b5270bad4671e2de256f2f19e44fbddd3880aeeaecac9f1c8d78b46875251b5e4e0fe1262ef5f2923d079dbd5b27dc6f14fffe0ca8

\Windows\SysWOW64\install\server.exe

MD5 15c629aeebbcba838f665eb0d96dd941
SHA1 21cc9fe5130ab2291926a7e82e51c771f6536ef8
SHA256 bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577
SHA512 2b2b1afcba52d35568ebf1b5270bad4671e2de256f2f19e44fbddd3880aeeaecac9f1c8d78b46875251b5e4e0fe1262ef5f2923d079dbd5b27dc6f14fffe0ca8

memory/1536-73-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 15c629aeebbcba838f665eb0d96dd941
SHA1 21cc9fe5130ab2291926a7e82e51c771f6536ef8
SHA256 bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577
SHA512 2b2b1afcba52d35568ebf1b5270bad4671e2de256f2f19e44fbddd3880aeeaecac9f1c8d78b46875251b5e4e0fe1262ef5f2923d079dbd5b27dc6f14fffe0ca8

memory/1984-76-0x0000000005160000-0x00000000051B7000-memory.dmp

memory/1984-77-0x0000000005160000-0x00000000051B7000-memory.dmp

memory/1536-78-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1536-79-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1984-80-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1984-81-0x0000000005160000-0x00000000051B7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-21 15:09

Reported

2022-10-21 15:13

Platform

win10v2004-20220812-en

Max time kernel

169s

Max time network

188s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\install\server.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe
PID 4200 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe

"C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe"

C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe

"C:\Users\Admin\AppData\Local\Temp\bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1568 -ip 1568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 568

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 52.168.112.66:443 tcp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.252.51.254:80 tcp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp
US 8.8.8.8:53 cocoderato.no-ip.biz udp

Files

memory/4200-132-0x0000000000400000-0x0000000000457000-memory.dmp

memory/312-134-0x0000000000000000-mapping.dmp

memory/4200-135-0x0000000024010000-0x0000000024072000-memory.dmp

memory/312-138-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4200-139-0x0000000000400000-0x0000000000457000-memory.dmp

memory/312-140-0x0000000024010000-0x0000000024072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 adab3092d4eee0e6a216b57c8042c73d
SHA1 81baf7c2e7c8f6b55baf0bddf299df117c74e6a5
SHA256 c9c9a60293de14a073e7875a4351daad8fb62d68399044c49fb00957186140c7
SHA512 9c9aa60d8e133409cca4d9311ac73e5b3dc62dccef143b4b9f81b44c721ea3f0c2ce44b745cc5b94679a40771c26ff50fe1ef45c8cc0952c219da1d4fb829d9a

C:\Windows\SysWOW64\install\server.exe

MD5 15c629aeebbcba838f665eb0d96dd941
SHA1 21cc9fe5130ab2291926a7e82e51c771f6536ef8
SHA256 bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577
SHA512 2b2b1afcba52d35568ebf1b5270bad4671e2de256f2f19e44fbddd3880aeeaecac9f1c8d78b46875251b5e4e0fe1262ef5f2923d079dbd5b27dc6f14fffe0ca8

C:\Windows\SysWOW64\install\server.exe

MD5 15c629aeebbcba838f665eb0d96dd941
SHA1 21cc9fe5130ab2291926a7e82e51c771f6536ef8
SHA256 bf6319eed693eba9cc3a464480bd940f0f45e810507bfcf36b2ad16759c39577
SHA512 2b2b1afcba52d35568ebf1b5270bad4671e2de256f2f19e44fbddd3880aeeaecac9f1c8d78b46875251b5e4e0fe1262ef5f2923d079dbd5b27dc6f14fffe0ca8

memory/1568-143-0x0000000000000000-mapping.dmp

memory/1568-145-0x0000000000400000-0x0000000000457000-memory.dmp

memory/312-146-0x0000000024010000-0x0000000024072000-memory.dmp