Malware Analysis Report

2025-08-06 03:47

Sample ID 221106-hxl7csbfeq
Target e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9
SHA256 e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9
Tags
cybergate persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9

Threat Level: Known bad

The file e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9 was found to be: Known bad.

Malicious Activity Summary

cybergate persistence stealer trojan upx

CyberGate, Rebhip

UPX packed file

Modifies Installed Components in the registry

Adds policy Run key to start application

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 07:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 07:07

Reported

2022-11-06 07:58

Platform

win7-20220812-en

Max time kernel

152s

Max time network

71s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0181618-0KJM-14D2-KE8X-4FH1UC015ES2}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0181618-0KJM-14D2-KE8X-4FH1UC015ES2} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0181618-0KJM-14D2-KE8X-4FH1UC015ES2}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0181618-0KJM-14D2-KE8X-4FH1UC015ES2} C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\install\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\install\server.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\install\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe

"C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe

"C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 anonnymo.no-ip.org udp

Files

memory/1976-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

memory/1976-55-0x0000000000560000-0x0000000000571000-memory.dmp

memory/1976-56-0x0000000000400000-0x0000000000518000-memory.dmp

memory/1976-57-0x0000000000560000-0x0000000000571000-memory.dmp

memory/1976-58-0x0000000000580000-0x00000000005B8000-memory.dmp

memory/1976-59-0x0000000000580000-0x00000000005B8000-memory.dmp

memory/1976-60-0x0000000000400000-0x0000000000518000-memory.dmp

memory/1976-62-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1284-65-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1480-68-0x0000000000000000-mapping.dmp

memory/1480-70-0x0000000074401000-0x0000000074403000-memory.dmp

memory/1976-71-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1480-76-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 6a88be11070d695a7b289b10f085fc34
SHA1 253b4736c330eebc6e320872b4ef498381db0b6d
SHA256 27592e2d4095f53418e4cae63d58ce4e337f1b780d3fb94585f88ecf8946538d
SHA512 4ee5010f0c55ff3a8139a638db68a72b03dd245c0cc3684e44a263ba02fafd05f7cf1d1361e8c119311176f610554763642d846c1c436000c678f722a0665309

C:\Windows\SysWOW64\install\server.exe

MD5 0a96e4f9d8439f6b06017bc0dc37e381
SHA1 f2bae85567af84006cbffd58cacb0d8a47150cc9
SHA256 e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9
SHA512 b84c902bf7b968a911c70731401c04a7f3041604bc66cba8d2cca695b803f2512fb147b5bc47108d6323e7c084e7bfdca0a6718bdbff255ae1d78a3d38f6d41c

memory/1480-79-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1976-81-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1948-85-0x0000000000000000-mapping.dmp

memory/1976-87-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/1976-93-0x0000000000400000-0x0000000000518000-memory.dmp

memory/1948-92-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/1976-94-0x0000000000560000-0x0000000000571000-memory.dmp

memory/1976-95-0x0000000000580000-0x00000000005B8000-memory.dmp

memory/1948-96-0x0000000000400000-0x0000000000518000-memory.dmp

memory/1948-97-0x0000000024160000-0x00000000241C2000-memory.dmp

\Windows\SysWOW64\install\server.exe

MD5 0a96e4f9d8439f6b06017bc0dc37e381
SHA1 f2bae85567af84006cbffd58cacb0d8a47150cc9
SHA256 e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9
SHA512 b84c902bf7b968a911c70731401c04a7f3041604bc66cba8d2cca695b803f2512fb147b5bc47108d6323e7c084e7bfdca0a6718bdbff255ae1d78a3d38f6d41c

memory/1772-100-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 0a96e4f9d8439f6b06017bc0dc37e381
SHA1 f2bae85567af84006cbffd58cacb0d8a47150cc9
SHA256 e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9
SHA512 b84c902bf7b968a911c70731401c04a7f3041604bc66cba8d2cca695b803f2512fb147b5bc47108d6323e7c084e7bfdca0a6718bdbff255ae1d78a3d38f6d41c

\Windows\SysWOW64\install\server.exe

MD5 0a96e4f9d8439f6b06017bc0dc37e381
SHA1 f2bae85567af84006cbffd58cacb0d8a47150cc9
SHA256 e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9
SHA512 b84c902bf7b968a911c70731401c04a7f3041604bc66cba8d2cca695b803f2512fb147b5bc47108d6323e7c084e7bfdca0a6718bdbff255ae1d78a3d38f6d41c

memory/1948-103-0x0000000007570000-0x0000000007688000-memory.dmp

memory/1772-104-0x0000000000290000-0x00000000002A1000-memory.dmp

memory/1772-105-0x0000000000400000-0x0000000000518000-memory.dmp

memory/1772-106-0x0000000000370000-0x00000000003A8000-memory.dmp

memory/1772-107-0x0000000000290000-0x00000000002A1000-memory.dmp

memory/1772-108-0x0000000000370000-0x00000000003A8000-memory.dmp

memory/1772-109-0x0000000000400000-0x0000000000518000-memory.dmp

memory/1772-110-0x0000000000400000-0x0000000000518000-memory.dmp

memory/1772-111-0x0000000000370000-0x00000000003A8000-memory.dmp

memory/1948-112-0x0000000024160000-0x00000000241C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 07:07

Reported

2022-11-06 07:58

Platform

win10v2004-20220901-en

Max time kernel

150s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0181618-0KJM-14D2-KE8X-4FH1UC015ES2} C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0181618-0KJM-14D2-KE8X-4FH1UC015ES2}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0181618-0KJM-14D2-KE8X-4FH1UC015ES2} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0181618-0KJM-14D2-KE8X-4FH1UC015ES2}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\install\server.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\install\server.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE
PID 3256 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe

"C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe

"C:\Users\Admin\AppData\Local\Temp\e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 anonnymo.no-ip.org udp
NL 67.26.109.254:80 tcp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 20.189.173.10:443 tcp
US 52.109.13.64:443 tcp
US 8.8.8.8:53 anonnymo.no-ip.org udp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 52.109.12.19:443 tcp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp
US 8.8.8.8:53 anonnymo.no-ip.org udp

Files

memory/3256-132-0x0000000000400000-0x0000000000518000-memory.dmp

memory/3256-133-0x00000000024C0000-0x00000000024D1000-memory.dmp

memory/3256-134-0x0000000002890000-0x00000000028C8000-memory.dmp

memory/3256-135-0x00000000024C0000-0x00000000024D1000-memory.dmp

memory/3256-136-0x0000000002890000-0x00000000028C8000-memory.dmp

memory/3256-137-0x0000000000400000-0x0000000000518000-memory.dmp

memory/3256-139-0x0000000024010000-0x0000000024072000-memory.dmp

memory/840-143-0x0000000000000000-mapping.dmp

memory/3256-144-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/840-147-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/840-148-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 6a88be11070d695a7b289b10f085fc34
SHA1 253b4736c330eebc6e320872b4ef498381db0b6d
SHA256 27592e2d4095f53418e4cae63d58ce4e337f1b780d3fb94585f88ecf8946538d
SHA512 4ee5010f0c55ff3a8139a638db68a72b03dd245c0cc3684e44a263ba02fafd05f7cf1d1361e8c119311176f610554763642d846c1c436000c678f722a0665309

C:\Windows\SysWOW64\install\server.exe

MD5 0a96e4f9d8439f6b06017bc0dc37e381
SHA1 f2bae85567af84006cbffd58cacb0d8a47150cc9
SHA256 e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9
SHA512 b84c902bf7b968a911c70731401c04a7f3041604bc66cba8d2cca695b803f2512fb147b5bc47108d6323e7c084e7bfdca0a6718bdbff255ae1d78a3d38f6d41c

memory/3256-152-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/3924-156-0x0000000000000000-mapping.dmp

memory/3256-157-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/3924-160-0x0000000000400000-0x0000000000518000-memory.dmp

memory/3924-161-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/3256-162-0x0000000000400000-0x0000000000518000-memory.dmp

memory/3256-163-0x0000000002890000-0x00000000028C8000-memory.dmp

memory/3924-164-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/4732-165-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 0a96e4f9d8439f6b06017bc0dc37e381
SHA1 f2bae85567af84006cbffd58cacb0d8a47150cc9
SHA256 e43af533c291559f4b6507521659585d9128a82c15ca2533593fbddd7366a8d9
SHA512 b84c902bf7b968a911c70731401c04a7f3041604bc66cba8d2cca695b803f2512fb147b5bc47108d6323e7c084e7bfdca0a6718bdbff255ae1d78a3d38f6d41c

memory/4732-167-0x0000000000690000-0x00000000006A1000-memory.dmp

memory/4732-168-0x0000000000400000-0x0000000000518000-memory.dmp

memory/4732-169-0x0000000000690000-0x00000000006A1000-memory.dmp

memory/4732-170-0x0000000002200000-0x0000000002238000-memory.dmp

memory/4732-171-0x0000000002200000-0x0000000002238000-memory.dmp

memory/4732-172-0x0000000000400000-0x0000000000518000-memory.dmp

memory/840-173-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4732-174-0x0000000000400000-0x0000000000518000-memory.dmp

memory/3924-175-0x0000000024160000-0x00000000241C2000-memory.dmp