File name:

ser.exe

Full analysis: https://app.any.run/tasks/454bfbc9-8741-45f1-9e4c-3ceba2da8d82
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: January 16, 2025, 00:29:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cybergate
rat
xor-url
generic
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 5 sections
MD5:

9E04A788281C727566873D9DF263AEC1

SHA1:

77A4C1A00320AE36E17BC10DA21A1B8D42BF34B0

SHA256:

282F463D7CDEC977D675231279365DD890F1480DAFA9D88473D5D47574E007B0

SSDEEP:

12288:LTajUSWV8C41YQinvA2VWl6ojM+n4PN/bxnqqc8ock0bjsQ9hCKDux:SAV8C4wnY96wM+4lP7bjnux

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CYBERGATE mutex has been found

      • ser.exe (PID: 6412)
      • explorer.exe (PID: 6452)
      • ser.exe (PID: 6804)
      • server.exe (PID: 7096)

    • Changes the autorun value in the registry

      • ser.exe (PID: 6412)

    • XORed URL has been found (YARA)

      • explorer.exe (PID: 6452)
      • ser.exe (PID: 6804)

    • CYBERGATE has been detected (YARA)

      • explorer.exe (PID: 6452)
      • ser.exe (PID: 6804)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ser.exe (PID: 6412)

    • Application launched itself

      • ser.exe (PID: 6384)
      • ser.exe (PID: 6412)
      • server.exe (PID: 7048)

    • Reads security settings of Internet Explorer

      • ser.exe (PID: 6804)

    • Starts itself from another location

      • ser.exe (PID: 6804)

    • Executes application which crashes

      • server.exe (PID: 7096)

  • INFO

    • Create files in a temporary directory

      • ser.exe (PID: 6384)
      • server.exe (PID: 7048)
      • ser.exe (PID: 6804)

    • Checks supported languages

      • ser.exe (PID: 6384)
      • ser.exe (PID: 6804)
      • ser.exe (PID: 6412)
      • server.exe (PID: 7048)
      • server.exe (PID: 7096)

    • Failed to create an executable file in Windows directory

      • ser.exe (PID: 6412)

    • The process uses the downloaded file

      • ser.exe (PID: 6804)

    • Reads the computer name

      • ser.exe (PID: 6412)
      • ser.exe (PID: 6804)
      • server.exe (PID: 7096)

    • Process checks computer location settings

      • ser.exe (PID: 6804)

    • Disables trace logs

      • server.exe (PID: 7096)

    • UPX packer has been detected

      • explorer.exe (PID: 6452)
      • ser.exe (PID: 6804)

    • Checks proxy server information

      • WerFault.exe (PID: 2260)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 2260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(6452) explorer.exe
Decrypted-URLs (1)http://www.hostme.name/sqlite3.dll
(PID) Process(6804) ser.exe
Decrypted-URLs (1)http://www.hostme.name/sqlite3.dll
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:06:09 13:28:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 28672
InitializedDataSize: 36864
UninitializedDataSize: 114688
EntryPoint: 0x23ae0
OSVersion: 4
ImageVersion: 4.3
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
9
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ser.exe no specs ser.exe #XOR-URL explorer.exe no specs iexplore.exe no specs #XOR-URL ser.exe no specs server.exe no specs server.exe werfault.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2260C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7096 -s 584C:\Windows\SysWOW64\WerFault.exe
server.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6384"C:\Users\admin\AppData\Local\Temp\ser.exe" C:\Users\admin\AppData\Local\Temp\ser.exeexplorer.exe
User:
admin
Company:
Unknown Inc.
Integrity Level:
MEDIUM
Description:
No Description
Exit code:
0
Version:
4.03.0007
Modules
Images
c:\users\admin\appdata\local\temp\ser.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6412C:\Users\admin\AppData\Local\Temp\ser.exeC:\Users\admin\AppData\Local\Temp\ser.exe
ser.exe
User:
admin
Company:
Unknown Inc.
Integrity Level:
MEDIUM
Description:
No Description
Exit code:
0
Version:
4.03.0007
Modules
Images
c:\users\admin\appdata\local\temp\ser.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6452explorer.exeC:\Windows\SysWOW64\explorer.exe
ser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll
xor-url
(PID) Process(6452) explorer.exe
Decrypted-URLs (1)http://www.hostme.name/sqlite3.dll
6776"C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exeser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.19041.1 (WinBuild.160101.0800)
6804"C:\Users\admin\AppData\Local\Temp\ser.exe"C:\Users\admin\AppData\Local\Temp\ser.exe
ser.exe
User:
admin
Company:
Unknown Inc.
Integrity Level:
MEDIUM
Description:
No Description
Version:
4.03.0007
Modules
Images
c:\users\admin\appdata\local\temp\ser.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
xor-url
(PID) Process(6804) ser.exe
Decrypted-URLs (1)http://www.hostme.name/sqlite3.dll
7048"C:\Users\admin\AppData\Roaming\spynet\server.exe" C:\Users\admin\AppData\Roaming\spynet\server.exeser.exe
User:
admin
Company:
Unknown Inc.
Integrity Level:
MEDIUM
Description:
No Description
Exit code:
0
Version:
4.03.0007
Modules
Images
c:\users\admin\appdata\roaming\spynet\server.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7096C:\Users\admin\AppData\Roaming\spynet\server.exeC:\Users\admin\AppData\Roaming\spynet\server.exe
server.exe
User:
admin
Company:
Unknown Inc.
Integrity Level:
MEDIUM
Description:
No Description
Exit code:
3221225477
Version:
4.03.0007
Modules
Images
c:\users\admin\appdata\roaming\spynet\server.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
5 009
Read events
4 992
Write events
17
Delete events
0

Modification events

(PID) Process:(6412) ser.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:HKLM
Value:
C:\Users\admin\AppData\Roaming\spynet\server.exe
(PID) Process:(6412) ser.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:HKCU
Value:
C:\Users\admin\AppData\Roaming\spynet\server.exe
(PID) Process:(6412) ser.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}
Operation:writeName:StubPath
Value:
C:\Users\admin\AppData\Roaming\spynet\server.exe Restart
(PID) Process:(6804) ser.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
FD52886700000000
(PID) Process:(7096) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\server_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7096) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\server_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7096) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\server_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7096) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\server_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7096) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\server_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7096) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\server_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
1
Suspicious files
9
Text files
85
Unknown types
0

Dropped files

PID
Process
Filename
Type
2260WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_server.exe_d34c5a292cc14ed6996db528149e9b71a2352aad_8117b463_86c38d29-c9a5-4f5d-ab17-e3ad4d2823e6\Report.wer
MD5:
SHA256:
6412ser.exeC:\Users\admin\AppData\Local\Temp\XX--XX--XX.txtbinary
MD5:42A2AC1163F11D7578814818189CE3EA
SHA256:5A0F0D428ABAA5A185C4C1E7B15ED4DD5EED5A14306836FC7F806FF2E7FA9B68
6412ser.exeC:\Users\admin\AppData\Roaming\spynet\server.exeexecutable
MD5:9E04A788281C727566873D9DF263AEC1
SHA256:282F463D7CDEC977D675231279365DD890F1480DAFA9D88473D5D47574E007B0
6384ser.exeC:\Users\admin\AppData\Local\Temp\~DFCBAA5CD42FC9C6CD.TMPbinary
MD5:7F348D28BDB146E82994D3B0EEE77E1C
SHA256:6D27CC9253DDA8A4CB7567415419498B17946A3F5B4E27F0D6EFC61602B8E55D
2260WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785der
MD5:F6F53CD09A41E968C363419B279D3112
SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
2260WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:FA84E4BCC92AA5DB735AB50711040CDE
SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
2260WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785binary
MD5:20DB6E1FAFF101D1C4E8D2D7F9061437
SHA256:C8A82A7F5C07ACCB1DF46BDFC193F691447B0E36B2F50F05CB861D4E39B9E5E8
2260WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:D2BEC941D9C304D6E700D37E6F4A2941
SHA256:D094EFCEEF4D5D1481D5148C5FCE152ACC91EF18874C7FAEE231B8E0362FF177
2260WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\server.exe.7096.dmpbinary
MD5:3B8C03434A31B290A20C55FADE24CCCB
SHA256:CB7A4F51C4B91BDE3AD703B3793768DBBB8609AAD2390C62FD62CAFAE9E8E7CE
6804ser.exeC:\Users\admin\AppData\Roaming\logs.dattext
MD5:E21BD9604EFE8EE9B59DC7605B927A2A
SHA256:51A3FE220229AA3FDDDC909E20A4B107E7497320A00792A280A03389F2EACB46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
35
DNS requests
37
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.32.238.34:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6540
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6540
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2260
WerFault.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2260
WerFault.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5432
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
23.32.238.34:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1076
svchost.exe
2.23.242.9:443
go.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 23.32.238.34
  • 2.19.198.194
  • 2.16.164.72
  • 2.16.164.49
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.68
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.73
  • 20.190.159.2
  • 40.126.31.73
  • 40.126.31.69
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
www.hostme.name
unknown
firebird123.no-ip.biz
unknown

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ser.exe