Malware Analysis Report

2025-08-06 03:51

Sample ID 221030-xvmsfagahn
Target 6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769
SHA256 6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769
Tags
upx ssssss cybergate persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769

Threat Level: Known bad

The file 6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769 was found to be: Known bad.

Malicious Activity Summary

upx ssssss cybergate persistence stealer trojan

CyberGate, Rebhip

Cybergate family

Executes dropped EXE

Adds policy Run key to start application

UPX packed file

Modifies Installed Components in the registry

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-30 19:10

Signatures

Cybergate family

cybergate

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-30 19:10

Reported

2022-10-31 11:58

Platform

win7-20220812-en

Max time kernel

150s

Max time network

44s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\dir\install\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe

"C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe

"C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe"

C:\dir\install\install\server.exe

"C:\dir\install\install\server.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp

Files

memory/2020-54-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/2020-55-0x0000000075451000-0x0000000075453000-memory.dmp

memory/2020-57-0x0000000010410000-0x000000001046C000-memory.dmp

memory/1412-63-0x0000000010410000-0x000000001046C000-memory.dmp

memory/740-66-0x0000000000000000-mapping.dmp

memory/740-68-0x0000000074951000-0x0000000074953000-memory.dmp

memory/2020-69-0x0000000010470000-0x00000000104CC000-memory.dmp

memory/740-77-0x0000000010470000-0x00000000104CC000-memory.dmp

memory/2020-79-0x00000000104D0000-0x000000001052C000-memory.dmp

memory/2864-86-0x0000000000000000-mapping.dmp

memory/2020-88-0x0000000001C70000-0x0000000001D1C000-memory.dmp

memory/2864-89-0x0000000000400000-0x00000000004AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 5d3b4fcd9fa58102c7e152c1d8ca3bc9
SHA1 bf878a6272e714b35a5f21725855bfd4d4ad6d72
SHA256 a417f8bcb192cea3fcbc5e705be8fb559f29522db45972d51a679b4842b4c640
SHA512 fca312fc08741f2dba2a11daea2856013555f469f156421f68747bb227b00d327dd1325a8b4921d0a6d1e056fabfc7c68d8a3791642ff0bd2b1bf685ef3f54c7

\??\c:\dir\install\install\server.exe

MD5 81ba96f22bc205644a5c18c565fbb11c
SHA1 ed38ab659af779c562d31046cfe7746ba26db2fc
SHA256 6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769
SHA512 67ace9d87ebb14b02775353ecd12be0029d04810daa500e31f87b4f77bef7a1281160fb4b1f3322f471a428bb3a905309ea5c31563ef29ff11121293cdc31d01

memory/2020-92-0x0000000010530000-0x000000001058C000-memory.dmp

memory/2020-100-0x0000000000400000-0x00000000004AC000-memory.dmp

\dir\install\install\server.exe

MD5 81ba96f22bc205644a5c18c565fbb11c
SHA1 ed38ab659af779c562d31046cfe7746ba26db2fc
SHA256 6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769
SHA512 67ace9d87ebb14b02775353ecd12be0029d04810daa500e31f87b4f77bef7a1281160fb4b1f3322f471a428bb3a905309ea5c31563ef29ff11121293cdc31d01

memory/2864-102-0x000000000A260000-0x000000000A30C000-memory.dmp

memory/2864-103-0x0000000010530000-0x000000001058C000-memory.dmp

\dir\install\install\server.exe

MD5 81ba96f22bc205644a5c18c565fbb11c
SHA1 ed38ab659af779c562d31046cfe7746ba26db2fc
SHA256 6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769
SHA512 67ace9d87ebb14b02775353ecd12be0029d04810daa500e31f87b4f77bef7a1281160fb4b1f3322f471a428bb3a905309ea5c31563ef29ff11121293cdc31d01

memory/4268-105-0x0000000000000000-mapping.dmp

C:\dir\install\install\server.exe

MD5 81ba96f22bc205644a5c18c565fbb11c
SHA1 ed38ab659af779c562d31046cfe7746ba26db2fc
SHA256 6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769
SHA512 67ace9d87ebb14b02775353ecd12be0029d04810daa500e31f87b4f77bef7a1281160fb4b1f3322f471a428bb3a905309ea5c31563ef29ff11121293cdc31d01

memory/2864-108-0x000000000A260000-0x000000000A30C000-memory.dmp

memory/4268-109-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/4268-110-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/740-111-0x0000000010470000-0x00000000104CC000-memory.dmp

memory/2864-112-0x0000000010530000-0x000000001058C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-30 19:10

Reported

2022-10-31 11:58

Platform

win10v2004-20220901-en

Max time kernel

151s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\dir\install\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\dir\install\install\server.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE
PID 4848 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe

"C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe

"C:\Users\Admin\AppData\Local\Temp\6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769.exe"

C:\dir\install\install\server.exe

"C:\dir\install\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6264 -ip 6264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6264 -s 576

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
N/A 127.0.0.1:81 tcp
US 209.197.3.8:80 tcp
NL 104.80.225.205:443 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
US 20.189.173.12:443 tcp
N/A 127.0.0.1:81 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp
N/A 127.0.0.1:81 tcp

Files

memory/4848-132-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/4848-134-0x0000000010410000-0x000000001046C000-memory.dmp

memory/1204-141-0x0000000000000000-mapping.dmp

memory/4848-142-0x0000000010470000-0x00000000104CC000-memory.dmp

memory/1204-148-0x0000000010470000-0x00000000104CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 5d3b4fcd9fa58102c7e152c1d8ca3bc9
SHA1 bf878a6272e714b35a5f21725855bfd4d4ad6d72
SHA256 a417f8bcb192cea3fcbc5e705be8fb559f29522db45972d51a679b4842b4c640
SHA512 fca312fc08741f2dba2a11daea2856013555f469f156421f68747bb227b00d327dd1325a8b4921d0a6d1e056fabfc7c68d8a3791642ff0bd2b1bf685ef3f54c7

\??\c:\dir\install\install\server.exe

MD5 81ba96f22bc205644a5c18c565fbb11c
SHA1 ed38ab659af779c562d31046cfe7746ba26db2fc
SHA256 6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769
SHA512 67ace9d87ebb14b02775353ecd12be0029d04810daa500e31f87b4f77bef7a1281160fb4b1f3322f471a428bb3a905309ea5c31563ef29ff11121293cdc31d01

memory/4848-152-0x00000000104D0000-0x000000001052C000-memory.dmp

memory/2372-159-0x0000000000000000-mapping.dmp

memory/2372-160-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/4848-161-0x0000000010530000-0x000000001058C000-memory.dmp

memory/4848-167-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/2372-168-0x0000000010530000-0x000000001058C000-memory.dmp

memory/6264-169-0x0000000000000000-mapping.dmp

C:\dir\install\install\server.exe

MD5 81ba96f22bc205644a5c18c565fbb11c
SHA1 ed38ab659af779c562d31046cfe7746ba26db2fc
SHA256 6d499daaac9389e156e011484aeeabcce6e4c04b32bd7f0a7801ae8995e2c769
SHA512 67ace9d87ebb14b02775353ecd12be0029d04810daa500e31f87b4f77bef7a1281160fb4b1f3322f471a428bb3a905309ea5c31563ef29ff11121293cdc31d01

memory/6264-171-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1204-172-0x0000000010470000-0x00000000104CC000-memory.dmp

memory/2372-173-0x0000000010530000-0x000000001058C000-memory.dmp