Malware Analysis Report

2025-08-05 12:40

Sample ID 221106-kfp8sscab8
Target 70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06
SHA256 70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06
Tags
cybergate persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06

Threat Level: Known bad

The file 70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06 was found to be: Known bad.

Malicious Activity Summary

cybergate persistence stealer trojan upx

CyberGate, Rebhip

Executes dropped EXE

Adds policy Run key to start application

Modifies Installed Components in the registry

UPX packed file

Loads dropped DLL

Checks BIOS information in registry

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 08:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 08:32

Reported

2022-11-06 10:06

Platform

win7-20220812-en

Max time kernel

152s

Max time network

68s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81H0050E-P75Q-YX4D-ALKN-0AY3V43V2C4W}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{81H0050E-P75Q-YX4D-ALKN-0AY3V43V2C4W} C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81H0050E-P75Q-YX4D-ALKN-0AY3V43V2C4W}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{81H0050E-P75Q-YX4D-ALKN-0AY3V43V2C4W} C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\install\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\install\server.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\install\server.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\install\server.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\install\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 2016 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe

"C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe

"C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maromba.no-ip.biz udp

Files

memory/2016-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

memory/2016-55-0x0000000000390000-0x00000000003C8000-memory.dmp

memory/2016-56-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2016-57-0x0000000000390000-0x00000000003C8000-memory.dmp

memory/2016-58-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2016-60-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1380-63-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1756-66-0x0000000000000000-mapping.dmp

memory/1756-68-0x0000000074D31000-0x0000000074D33000-memory.dmp

memory/2016-69-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1756-74-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 c9ede3d740bebd0d0a94e848bfbeb3e6
SHA1 7133f061a29ef53b19f459cc48a3d9ff230eff58
SHA256 b0ee0d8f02e99e020e83cf95e926e43023cfbfd39126f37e769d53b0fefe84f2
SHA512 993dcdb5805dc6700443db83c23f206d6ce4b91609a19f8342936aa576182facdfcd027a6c9e5ddebfd081ced1b828eafc29d1ff58e448ee8254c10a2886a53b

C:\Windows\SysWOW64\install\server.exe

MD5 0109baffec5befdc8e10ccd8e9866178
SHA1 3d46f885e43a83d66fab60e12b76dc3b2c2bb3d0
SHA256 70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06
SHA512 b213212066b7fab3d1c65cdbda7be6d7989de4ff69791f35d62c26a07e8f48ad352e5dab855eb6f2ed7d7fec24c864411b62c6b0f48525b9c0aa84c927a5fbe7

memory/1756-77-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2016-79-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1412-83-0x0000000000000000-mapping.dmp

memory/2016-84-0x0000000002300000-0x0000000002414000-memory.dmp

memory/1412-85-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2016-87-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/2016-93-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1412-92-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/2016-94-0x0000000000390000-0x00000000003C8000-memory.dmp

\Windows\SysWOW64\install\server.exe

MD5 0109baffec5befdc8e10ccd8e9866178
SHA1 3d46f885e43a83d66fab60e12b76dc3b2c2bb3d0
SHA256 70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06
SHA512 b213212066b7fab3d1c65cdbda7be6d7989de4ff69791f35d62c26a07e8f48ad352e5dab855eb6f2ed7d7fec24c864411b62c6b0f48525b9c0aa84c927a5fbe7

memory/704-97-0x0000000000000000-mapping.dmp

\Windows\SysWOW64\install\server.exe

MD5 0109baffec5befdc8e10ccd8e9866178
SHA1 3d46f885e43a83d66fab60e12b76dc3b2c2bb3d0
SHA256 70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06
SHA512 b213212066b7fab3d1c65cdbda7be6d7989de4ff69791f35d62c26a07e8f48ad352e5dab855eb6f2ed7d7fec24c864411b62c6b0f48525b9c0aa84c927a5fbe7

C:\Windows\SysWOW64\install\server.exe

MD5 0109baffec5befdc8e10ccd8e9866178
SHA1 3d46f885e43a83d66fab60e12b76dc3b2c2bb3d0
SHA256 70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06
SHA512 b213212066b7fab3d1c65cdbda7be6d7989de4ff69791f35d62c26a07e8f48ad352e5dab855eb6f2ed7d7fec24c864411b62c6b0f48525b9c0aa84c927a5fbe7

memory/1412-100-0x0000000006BD0000-0x0000000006CE4000-memory.dmp

memory/1412-101-0x0000000006BD0000-0x0000000006CE4000-memory.dmp

memory/704-102-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1412-103-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/704-104-0x00000000003C0000-0x00000000003F8000-memory.dmp

memory/704-106-0x0000000000400000-0x0000000000514000-memory.dmp

memory/704-105-0x00000000003C0000-0x00000000003F8000-memory.dmp

memory/704-107-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1412-108-0x0000000006BD0000-0x0000000006CE4000-memory.dmp

memory/1412-109-0x0000000006BD0000-0x0000000006CE4000-memory.dmp

memory/1412-110-0x0000000024160000-0x00000000241C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 08:32

Reported

2022-11-06 10:06

Platform

win10v2004-20220812-en

Max time kernel

154s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{81H0050E-P75Q-YX4D-ALKN-0AY3V43V2C4W} C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81H0050E-P75Q-YX4D-ALKN-0AY3V43V2C4W}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{81H0050E-P75Q-YX4D-ALKN-0AY3V43V2C4W} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81H0050E-P75Q-YX4D-ALKN-0AY3V43V2C4W}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\install\server.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\install\server.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\install\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\install\server.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\install\server.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe

"C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe

"C:\Users\Admin\AppData\Local\Temp\70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 72.21.91.29:80 tcp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
FR 40.79.150.121:443 tcp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.247.211.254:80 tcp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp
US 8.8.8.8:53 maromba.no-ip.biz udp

Files

memory/1688-132-0x0000000002450000-0x0000000002488000-memory.dmp

memory/1688-133-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1688-134-0x0000000002450000-0x0000000002488000-memory.dmp

memory/1688-136-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4916-140-0x0000000000000000-mapping.dmp

memory/1688-141-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4916-144-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 c9ede3d740bebd0d0a94e848bfbeb3e6
SHA1 7133f061a29ef53b19f459cc48a3d9ff230eff58
SHA256 b0ee0d8f02e99e020e83cf95e926e43023cfbfd39126f37e769d53b0fefe84f2
SHA512 993dcdb5805dc6700443db83c23f206d6ce4b91609a19f8342936aa576182facdfcd027a6c9e5ddebfd081ced1b828eafc29d1ff58e448ee8254c10a2886a53b

C:\Windows\SysWOW64\install\server.exe

MD5 0109baffec5befdc8e10ccd8e9866178
SHA1 3d46f885e43a83d66fab60e12b76dc3b2c2bb3d0
SHA256 70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06
SHA512 b213212066b7fab3d1c65cdbda7be6d7989de4ff69791f35d62c26a07e8f48ad352e5dab855eb6f2ed7d7fec24c864411b62c6b0f48525b9c0aa84c927a5fbe7

memory/4916-147-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1688-149-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/3504-153-0x0000000000000000-mapping.dmp

memory/1688-154-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/3504-157-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/1688-158-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1688-159-0x0000000002450000-0x0000000002488000-memory.dmp

memory/3504-160-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3504-161-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 0109baffec5befdc8e10ccd8e9866178
SHA1 3d46f885e43a83d66fab60e12b76dc3b2c2bb3d0
SHA256 70407645ae588bae209328e0f37861ced8e6557d86acf3d7347f61e601cebb06
SHA512 b213212066b7fab3d1c65cdbda7be6d7989de4ff69791f35d62c26a07e8f48ad352e5dab855eb6f2ed7d7fec24c864411b62c6b0f48525b9c0aa84c927a5fbe7

memory/3628-162-0x0000000000000000-mapping.dmp

memory/3628-164-0x0000000002270000-0x00000000022A8000-memory.dmp

memory/3628-165-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3628-166-0x0000000002270000-0x00000000022A8000-memory.dmp

memory/3628-167-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3504-168-0x0000000024160000-0x00000000241C2000-memory.dmp