Malware Analysis Report

2025-01-02 13:17

Sample ID 240316-yqwefsba2x
Target ceefcf02c92ab1bb3042b882e9a6637e
SHA256 08bbf2e4657271c35a06e2288aa82fdfa663e06b98f3f5189d8749f03e3d9ba4
Tags
cybergate $teste$ persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08bbf2e4657271c35a06e2288aa82fdfa663e06b98f3f5189d8749f03e3d9ba4

Threat Level: Known bad

The file ceefcf02c92ab1bb3042b882e9a6637e was found to be: Known bad.

Malicious Activity Summary

cybergate $teste$ persistence stealer trojan

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 19:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 19:59

Reported

2024-03-16 20:02

Platform

win7-20240221-en

Max time kernel

146s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\install\server.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2984 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1668 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe

"C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"

C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe

C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe

"C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Users\Admin\AppData\Local\Temp\Metralha's Crypter v3.12.exe

"C:\Users\Admin\AppData\Local\Temp\Metralha's Crypter v3.12.exe"

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2984-0-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2984-4-0x0000000000230000-0x000000000024E000-memory.dmp

memory/1668-3-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2984-6-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1668-5-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1668-7-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1668-8-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1668-12-0x0000000010410000-0x000000001046C000-memory.dmp

memory/1668-18-0x0000000000220000-0x000000000023E000-memory.dmp

memory/2548-20-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2548-26-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2548-33-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1668-75-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1668-88-0x0000000000220000-0x000000000023E000-memory.dmp

memory/1668-3357-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2548-3356-0x0000000010470000-0x00000000104CC000-memory.dmp

memory/2548-3355-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 4b2240fb77c6e4bb5dc9dfddd2b45f7c
SHA1 afbb9c29e9a9ad28832bd17a8352e813a374e7c7
SHA256 bbf66c19da983fed7d268304f54ed76233d636c3de6b5a017baf1c6a74501f07
SHA512 9ca6b1279dbebfc2143d6533a89c04acd2632d68c53b2dbb590fd46c94c1ba0cca95e10b6d094dfa98c338a0cec2d91df16fe2c9592a916122ee8d01dc4490e7

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Windows\SysWOW64\install\server.exe

MD5 8b363511ac765476b0f44f924ce0be8e
SHA1 3267a8122cbb7f141938bb4e7acb0000b26b0fb6
SHA256 2b69bde0a2e3fac3a33c543af6d4d70d6006bc6d4f1d2cef4ee19d43f7cd9630
SHA512 9d5fcb1d75c5f32182c84027dabdf0151d7f44e3320a35d9fd3f82333bb26d631e5748681774acbc53c7c768953f749727558991c5f2be975bcab44958b736a0

\Windows\SysWOW64\install\server.exe

MD5 ceefcf02c92ab1bb3042b882e9a6637e
SHA1 ac138746d5c3b5ca777cb4e7a057c6b84aaac76b
SHA256 08bbf2e4657271c35a06e2288aa82fdfa663e06b98f3f5189d8749f03e3d9ba4
SHA512 fcf0fd0099bec688db085d528de1c8a13a6cd13f023bf833260125d222482c7dbc84f24cd0db4a4a01149f67ecba5896e44df8ac7fcfd6f275759c3fc87ae316

\Users\Admin\AppData\Local\Temp\Metralha's Crypter v3.12.exe

MD5 877abd9b81976255de04d02548ce6d8e
SHA1 d685dd24c2e86b032c1cc65ebd182977c634714b
SHA256 eb557bf81450de09da90f346d1b478a06d5c0d4a6ac200f458b3ac5a90fe2309
SHA512 42d6550d97cfede4cb680e521d2cc2c36271ce02bb216b3f26cee0371d70f0dad8d13473028413b7c150f80d4f926f77d1f3a3941648482be2e02c9e285aa552

memory/2548-3392-0x000000000A2A0000-0x000000000A2BE000-memory.dmp

memory/1552-3403-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1440-3405-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1440-3408-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2548-3409-0x0000000010470000-0x00000000104CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a75b89d24e7664aab6aac0716aa97c9c
SHA1 db68902e044f958e8935ee231d73c70b20648fce
SHA256 40f647ffb49a960f7ff2881122c6e0c113b96a338b0b34db3b3ee248491f7bd8
SHA512 7d0dc8b9280c0d171295cc34e83126f3ae8c9b4da603cbc6183c4a3efd0f759c0a18e091f165daac7afa20d833f8f16d0442a5823f5a2dd4cc57be541eefff8f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 53fbbbc6a6dded3494cce882f81155c1
SHA1 06a1328a49c668dcf58907e408486808b6c9dfca
SHA256 847aa64e263168d11b39240d7ee147fba23feb7f3bc39db7c4aa3f7bc11001b1
SHA512 23c3b5bb43820201fb3b586f0c1e59560d9f30db62081f4001a52b5abd88e1db5befd0be132bb0e54a0445a76494e2a6934336e5b84bd117fe32c9d8c541de8e

memory/2548-3529-0x000000000A2A0000-0x000000000A2BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c2e070264b702e65a094e27609fcdc33
SHA1 32b9a0543e46cc2fd049fb5ed1b95e6824559f76
SHA256 702a068bd29a0c67879fafe0b916155ee5d3e52a71a693d72d87b3febead48da
SHA512 22e4f389facb67dae7be2b56d92dfad3c36340017118fc8b0ecc30c4d5468c1739ea981498a275884c2e0370ca1206486086d0ccac1f60f3a8d3f036fa440fe2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 38042c44c94234415f7960821e7dd8df
SHA1 850a3f1787ac7688e342521ec5d15bc92a26b6f0
SHA256 257ad4bebed018627fa2880837b1d51e4d552e01357413e399e67b19264c5d84
SHA512 d1fd4a0769935c71c38b3de461a8d6c478228d368e8c0449276319d70f91b4a872214f6f2c0258279f94b378b7d5e4fc1ed4d6f75dcedca1fa3bf13c544e3e46

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 28f8bfd95a6054c26ce22e79aecb4146
SHA1 6e6e6a1c5aa07acd250070baf856b76abc1c5f4e
SHA256 5995aac9ff7075519f890fdd131460276ad775f3d44b3550cf43ba90cbe978a6
SHA512 eba44e0d8e1d121d5fe728ae248ef790d8681d680818c76a4aafa923b98ade230a072ef65e724e9908e11dac9bf8ce617de3a4cb5929464976fe3561fc0aebd9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c497d95f673657b97789b1708130b814
SHA1 c36c7fbb3f8561cad344415c898971e0a7f33985
SHA256 0efbb840f79d15fc778c8ae9dd09c5146afe90b42ed84689fee74f3bb860b8d9
SHA512 96c8eabc057523f97eb10cfa142e3422235f4583e717b6d822e8c4c1bb798f54757925344121ebe5d5b9b90450177d124232191a4ca683581d826fcefccd2675

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 22161f5d0f540e92ce2db67de855be24
SHA1 e098398f5dd63ec7133a03726d76983a7c0bb0c5
SHA256 6e28a10af97c6a1f2d4204c4d2c38fc8a8aa832e0dd701b6a9835b6533ce48e9
SHA512 93e2a9a8d39259892ba9cce3b61da46f844895c10933fa7e373c9cb0c195479f92a9739247368bd1956031f589113510c7ec3f10b755b5f8fdec0912292e85a4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 01bf5e34c403959532e44b571e2028ad
SHA1 4fcf4713ba4de5e508d0a0f143591d300f3066dd
SHA256 07b2f5d16f0eb7d43f116795431077d628b1fefcaefbcd39c835d667f8b68100
SHA512 226a97e067e3c1c70b7cf5b5da735c4b4816044ae07c10b6a89f5fadd3c684a040201ecddf79ff1712a62ee88b5348f56d8860922a64adff9136fa83d63b6c88

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c0503a53438dc857f52038d5405330d5
SHA1 71d78109118890b5ff7817d6faebd631b20f4ac1
SHA256 6071cafd334e997ae113083efc81fc9707973a18bcff79f27b1e15ae70778d3b
SHA512 49618b84b17ce743a40820d44eeba090fe928405cd3b85e98e46fc5b539943bbb15806087e862afdd838f9fa681e157ddaff3dc6986e0b0b2ed770cc3caa0a64

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 30a697f75218c41eca32084228f92ddb
SHA1 e4257c9f705a5ec1fbeefeed133d1e6d9b214bc9
SHA256 b762c70386cd80da862d1ac8e9e55d0283d7636109b75d46135af2237e97b8f6
SHA512 9b86a31c3f435550c606652b2ad255e113009c2b5d054eee132dcf18683a76b74097b79fce55d59d536b4552285d6639283d6dc227881eecb6ed772f94182d88

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 091e769d5b6b963113a4600fce207ee2
SHA1 cba93dbbb1da605a9272b12fbfd1a526ae592bc4
SHA256 5086de679b4efee8ecb45c095af61852d7b6e192bff17a1b1dd0dd4047d4b6fc
SHA512 b1c333511bcd265d06a3dfd0fa483488b3eac463fc90195d5e6ec9a0e17dc5e89c7921dd6bffa344cdef0bbc71dd6b350bfc70b005e14bf4c9876f59d119ea35

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d234f3248a211df6cb5595de6cecce27
SHA1 9bfbc1df2b8feb9e0a54691e54f4f94ff18869af
SHA256 c2af8be8035f6a6b27d9594ce0cf943472e6e491d42a538da6267b708936c2a0
SHA512 8b94500cc8f1b526ba1bac2391dadcad1cd80c324cb2ea529c6a8e0f2ba7c5e66295722ca86c63bcfb173b1705d705c26f20b5bfac7c036df829174d396102b5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 65393e15b56ac0aa4b014b4be227c668
SHA1 fc13390bda76ff36c19bb9633b2fc253fe2a7e78
SHA256 2c05f8ef4a06f5f7d9d3f160c73ee371a33ac7463e76ddd40842e1373d73d8e1
SHA512 c0e1920f1c7aed72eb659d458dac62f3facc595f90253ad0b770c68049f7c95e35f2dfac1cd4b07edc3179b97d734b1ed8fe54d9849e4894b8040eb5b7f17cca

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f41453b84c71c8d452eea3d910fca1cb
SHA1 4a6b3727e97cc086d3bcee6c6f43a3f33e9b562a
SHA256 0809eabd3c6dc0d179ba5df176ec6572e092f54bd5bfe2e4379ca99ff72a1bc1
SHA512 ac323bd597c2de7e17a706df2be9e94eaed0c99dacfb6e0ea2a42d68fa49aa7be67abafbd86d4497c8b951fbece65ded48379d3f7ddb30c0ff4a29f8da172095

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 911591c7049739394bab4f79a1aef95b
SHA1 a2607b077e9738247833a256df9c2b7a2e49977a
SHA256 fdc5e8ca9462dfe7d7523452e8f60d2df0b24dd5101ebde9ec5b6f269f650169
SHA512 9231528a0e6d6c5b38769f100bac29341f2133027c7d8e03e98066cc6315d1f965f5ba8909cb7133bf1ef005fa1189c192f62986eeee63d3aefada93764d8012

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 417413f7b4b9cfe85a87ba0dda1cbf9e
SHA1 31d348e11353cefdde591d4a89013f7f470a0216
SHA256 1e55632a6aa5f6bd633751632e71be9f41eee9f0a8c2e2cdd57fcb3525f705e6
SHA512 12e19fbf8af2a2e6b53f1aec109fac22aaccf41bbba202df862ce84887de06d471df134b16c828cb2cd202f88fc1ac18dc25a25c9af6a18ef01602bf9b65eed7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ac7cd5f90f764dd3069a56a64728c7f9
SHA1 9e10796f886399467bd72494d1937a6a8e1a6c1f
SHA256 c0a3f4b7b9b09479800cd790855d08b88dc7fdf82dcf2a1ae97593b7832663ec
SHA512 43574d56949960458751531824d61dddb2184f2337e74d9635b7a8fedcf4c61da6fd5be54267bca0e03f5799390a43efa875ada42c91d5477ccfe9bb24df10a6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cf15a3fed2d09361032daacf62b2379c
SHA1 6e4b5f19b7b834726c5e102960b1ffc3b9de6a5d
SHA256 d8343c70a3ffd22017a7a4f905b88eb8d763c350f9d811d748b73df9e18e5439
SHA512 cb2512b88fca11dcd7f727e4c16e6ac696e8a869438ee36b697eeb880328ad35e8c4f0b5373f5b14e0c016802bf21d8124e3c384bc0c3bb3ff5b3192cd7ce92e

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 19:59

Reported

2024-03-16 20:02

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1736 set thread context of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 1736 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 1736 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 1736 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 1736 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 1736 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 1736 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 1736 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 1736 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 1736 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 1736 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 1736 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 1736 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe

"C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"

C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe

C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe

"C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3096 -ip 3096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 76

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/1736-0-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2272-3-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2272-4-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1736-5-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2272-6-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2272-7-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2272-11-0x0000000010410000-0x000000001046C000-memory.dmp

memory/3096-18-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/3096-19-0x0000000000580000-0x0000000000581000-memory.dmp

memory/2272-22-0x0000000010470000-0x00000000104CC000-memory.dmp

memory/2272-28-0x0000000000400000-0x0000000000588000-memory.dmp