Malware Analysis Report

2025-08-05 12:38

Sample ID 221106-k3gj6sfddk
Target 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
Tags
cybergate [email protected] persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833

Threat Level: Known bad

The file 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833 was found to be: Known bad.

Malicious Activity Summary

cybergate [email protected] persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Loads dropped DLL

Drops startup file

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Runs net.exe

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 09:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 09:07

Reported

2022-11-06 10:43

Platform

win7-20220901-en

Max time kernel

151s

Max time network

141s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31} C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif C:\Windows\SysWOW64\install\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Windows\SysWOW64\install\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Windows\SysWOW64\install\server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\install\server.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374496229" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{79B1F5A1-5DBF-11ED-979A-4A7553B9BC92} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1284 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1284 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1284 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1284 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 544 wrote to memory of 1148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 544 wrote to memory of 1148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 544 wrote to memory of 1148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 544 wrote to memory of 1148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1640 wrote to memory of 1548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1640 wrote to memory of 1548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1640 wrote to memory of 1548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1640 wrote to memory of 1548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1712 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 1712 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 1712 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 1712 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 1712 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 1712 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 1712 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 1712 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 1712 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 1712 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 1712 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 1712 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

"C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

"C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275466 /prefetch:2

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1712-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

memory/1284-55-0x0000000000000000-mapping.dmp

memory/544-56-0x0000000000000000-mapping.dmp

memory/1148-57-0x0000000000000000-mapping.dmp

memory/1712-58-0x0000000000350000-0x0000000000354000-memory.dmp

\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/1932-60-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1932-61-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1932-64-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1932-67-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1932-66-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1932-65-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1932-63-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/1932-69-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1932-70-0x000000000040BE3C-mapping.dmp

memory/1932-72-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1932-74-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1932-75-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1932-77-0x0000000024010000-0x0000000024071000-memory.dmp

memory/1224-80-0x0000000024010000-0x0000000024071000-memory.dmp

memory/1652-83-0x0000000000000000-mapping.dmp

memory/1652-85-0x0000000071DF1000-0x0000000071DF3000-memory.dmp

memory/1932-86-0x0000000024080000-0x00000000240E1000-memory.dmp

memory/1652-91-0x0000000024080000-0x00000000240E1000-memory.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 eb38fe298ebff2c3350762d8d31ea2f1
SHA1 137f3689e670c8f6321cb0019f667873bd3a4989
SHA256 eb306b1374ec1e239104d8a638c18d76111e9b2f570d35d4c15fb028909fef8c
SHA512 f556cc5d9f4dc265dfc0a5640a725fa2b4c7e73a8a18df45d4ccd04c07040d2f51e0cae65d010d884421523fa86589afa2d7d63253a404a334c83f7cb0fa87f1

memory/1652-94-0x0000000024080000-0x00000000240E1000-memory.dmp

memory/1932-96-0x00000000240F0000-0x0000000024151000-memory.dmp

\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/1592-101-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/1932-104-0x0000000024160000-0x00000000241C1000-memory.dmp

memory/1592-109-0x0000000024160000-0x00000000241C1000-memory.dmp

\Windows\SysWOW64\install\server.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/2052-111-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

C:\Users\Admin\AppData\Roaming\InstallDir\help.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/2124-119-0x0000000000000000-mapping.dmp

memory/1932-118-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2088-117-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\system.pif

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/2144-120-0x0000000000000000-mapping.dmp

memory/1592-121-0x0000000024160000-0x00000000241C1000-memory.dmp

memory/2260-132-0x000000000040BE3C-mapping.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/2260-136-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2260-137-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2260-138-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1592-139-0x0000000024160000-0x00000000241C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RM0WHHAQ.txt

MD5 854b80ed7ffc6853844258a8498a96a8
SHA1 bd2230cca7f6296c504ae12e87bdb79782892143
SHA256 aa4671eaf5dd830247ab0da141d39995d5092744570ae32ff1f6cd30f3541749
SHA512 a9db7f1baa292c7deb34b245c688e91ffe1dbb7cd02295b9aeb46f52031199af27b79338da01a5866e2cd442cb2574262b6e52a98aba4ad0afbfe1ff0967210e

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 09:07

Reported

2022-11-06 10:43

Platform

win10v2004-20220901-en

Max time kernel

150s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31} C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif C:\Windows\SysWOW64\install\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Windows\SysWOW64\install\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Windows\SysWOW64\install\server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\install\server.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374496229" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1367698156" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7D0B2CE8-5DBF-11ED-A0EE-7ADCB3813C8F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30994892" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1374885152" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1430823202" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30994892" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1367698156" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30994892" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30994892" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4800 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4800 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4800 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4800 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4800 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4800 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4800 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4800 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4800 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4800 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4800 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4580 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4580 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4580 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4980 wrote to memory of 4900 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4980 wrote to memory of 4900 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4980 wrote to memory of 4900 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3464 wrote to memory of 1104 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3464 wrote to memory of 1104 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3464 wrote to memory of 1104 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4800 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 4800 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 4800 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 4800 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 4800 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 4800 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 4800 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 4800 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 4800 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 4800 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 4800 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 4800 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 4800 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

"C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:17410 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

"C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:17414 /prefetch:2

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 13.107.21.200:443 www.bing.com tcp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 20.189.173.5:443 tcp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.253.208.120:80 tcp
US 8.253.208.120:80 tcp
US 8.253.208.120:80 tcp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp
US 8.8.8.8:53 dunderburken.no-ip.biz udp

Files

memory/4580-132-0x0000000000000000-mapping.dmp

memory/4980-133-0x0000000000000000-mapping.dmp

memory/4900-134-0x0000000000000000-mapping.dmp

memory/4800-135-0x0000000000670000-0x0000000000674000-memory.dmp

memory/2196-136-0x0000000000000000-mapping.dmp

memory/2196-137-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2196-139-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/2196-140-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2196-141-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2196-143-0x0000000024010000-0x0000000024071000-memory.dmp

memory/2924-147-0x0000000000000000-mapping.dmp

memory/2196-148-0x0000000024080000-0x00000000240E1000-memory.dmp

memory/2924-151-0x0000000024080000-0x00000000240E1000-memory.dmp

memory/2924-152-0x0000000024080000-0x00000000240E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 eb38fe298ebff2c3350762d8d31ea2f1
SHA1 137f3689e670c8f6321cb0019f667873bd3a4989
SHA256 eb306b1374ec1e239104d8a638c18d76111e9b2f570d35d4c15fb028909fef8c
SHA512 f556cc5d9f4dc265dfc0a5640a725fa2b4c7e73a8a18df45d4ccd04c07040d2f51e0cae65d010d884421523fa86589afa2d7d63253a404a334c83f7cb0fa87f1

C:\Windows\SysWOW64\install\server.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/2196-156-0x00000000240F0000-0x0000000024151000-memory.dmp

memory/2288-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/2196-162-0x0000000024160000-0x00000000241C1000-memory.dmp

memory/2288-165-0x0000000024160000-0x00000000241C1000-memory.dmp

memory/2196-166-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2288-167-0x0000000024160000-0x00000000241C1000-memory.dmp

memory/4700-168-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\system.pif

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/4588-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\InstallDir\help.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/4724-174-0x0000000000000000-mapping.dmp

memory/3604-175-0x0000000000000000-mapping.dmp

memory/1112-176-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 063ff71b72736da808960ea600dd1480
SHA1 7c431d0d97df53217645964234d38e8e5b210f16
SHA256 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512 ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c

memory/1112-180-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1112-181-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1112-182-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2924-183-0x0000000024080000-0x00000000240E1000-memory.dmp

memory/2288-184-0x0000000024160000-0x00000000241C1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 2d2178c4ba2e01df79b6e787caecd70e
SHA1 32feba9571993a2bdccc68d6de1bdd68f82cfbf8
SHA256 ba9dee61d1e95e7b33bdf223da96a8348a890459853c5437cd7981520d43849d
SHA512 23d8a224158a47ed813aa0ffec86f915fe28eaed3612f0e93be64bef5bfe08044730a550a3b7546e131fc3810c39defd6602ef30ed2f058336b8e7c5b5cd238c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 a3856e64a40b8abd16376b0207dccb3a
SHA1 826d958b19f7ffabec3f191ac46aa9dbe1e46af5
SHA256 aac5cff7c8300b756c1716ee6932671eaa38fbf9a60034342c16039225d40f01
SHA512 8841ba0aac78b4fa36bbb875683bd1d8cf52beb306ff67c1840c727452f139326b0f9c90b43524fd9d336d7e2eccb2e5316e3dad91dbc9fb6cd7917d3b160b2e