Malware Analysis Report

2025-06-16 00:59

Sample ID 220919-clklhafhdl
Target 94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf
SHA256 94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf
Tags
cybergate vítima persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf

Threat Level: Known bad

The file 94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf was found to be: Known bad.

Malicious Activity Summary

cybergate vítima persistence stealer trojan upx

CyberGate, Rebhip

UPX packed file

Adds policy Run key to start application

Modifies Installed Components in the registry

Checks BIOS information in registry

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-19 02:09

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-19 02:09

Reported

2022-09-19 03:11

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\Note" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\Note" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7V6LJL6-B0OM-81Y0-PQJ7-2CI28T7DNWE7} C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7V6LJL6-B0OM-81Y0-PQJ7-2CI28T7DNWE7}\StubPath = "C:\\Windows\\system32\\install\\Note Restart" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\Note" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\Note" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\Note C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
File opened for modification C:\Windows\SysWOW64\install\Note C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\MiscStatus\ = "536" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\ = "Picture (Enhanced Metafile)" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\AuxUserType\2 C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\Conversion C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\Conversion\Readable\Main C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\DataFormats\GetSet\0\ = "14,1,64,3" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174} C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\AuxUserType C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\AuxUserType\2\LocalizedString = "@%SystemRoot%\\system32\\combase.dll,-5101" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\DataFormats\GetSet C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\DataFormats\GetSet\0 C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\AuxUserType\2\ = "Picture" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\Conversion\Readable C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\DataFormats C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\MiscStatus C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\DataFormats\DefaultFile C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\DataFormats\DefaultFile\ = "14" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocServer32\ = "combase.dll" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 2220 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 2220 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 2220 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 2220 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 2220 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 2220 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 2220 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4224 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe

"C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe"

C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe

"C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 52.109.13.63:443 tcp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 67.24.179.254:80 tcp
US 52.182.143.210:443 tcp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
FR 2.22.147.50:443 tcp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 macaracar40.no-ip.info udp
US 8.8.8.8:53 udp

Files

memory/2220-133-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/2220-134-0x00000000005D0000-0x0000000000618000-memory.dmp

memory/2220-139-0x00000000005D1000-0x00000000005FF000-memory.dmp

memory/2220-140-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/4224-143-0x0000000000000000-mapping.dmp

memory/4224-144-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2220-147-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/4224-148-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4224-151-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4224-152-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4224-154-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4792-158-0x0000000000000000-mapping.dmp

memory/4224-160-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4792-163-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4224-164-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 5b1c3c59d3881407811c769275d9b4f0
SHA1 b2396b6c604ef7484e5acb279a4df62972c6eee9
SHA256 dbe1ff0617b7d5b058ff28f9f5e8e1a0e4070dd44e4a6e766ba2e09562e28baf
SHA512 d465f44cc4fda2e61823524098cd9d4879306a1c79a043ea64479b1a5d796f38c07d7690173c015e8c15b1048061bc9323c145d7a36fa209a95463fc3611b46f

C:\Windows\SysWOW64\install\Note

MD5 ce3b6a1c6875606846426e1734498e60
SHA1 40eda5f8a08956b3504d03a1ac864709e8cc56e3
SHA256 94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf
SHA512 d339d277ef9298aa8cb9b24d47a62807b6d656636f84c392c7fa1fad105603ec6b62b8fd4e4bfcf3b565eb7c2fbf53e09243694990415bdfeeced74516108b16

memory/4792-167-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/4792-168-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4792-169-0x0000000024080000-0x00000000240E2000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-19 02:09

Reported

2022-09-19 03:11

Platform

win7-20220812-en

Max time kernel

151s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\Note" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\Note" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7V6LJL6-B0OM-81Y0-PQJ7-2CI28T7DNWE7} C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7V6LJL6-B0OM-81Y0-PQJ7-2CI28T7DNWE7}\StubPath = "C:\\Windows\\system32\\install\\Note Restart" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\Note" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\Note" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\Note C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
File opened for modification C:\Windows\SysWOW64\install\Note C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocServer32\Class = "Microsoft.Office.Interop.Outlook.OlkSenderPhotoClass" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocServer32\14.0.0.0 C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\ProgID\ = "Outlook.OlkSenderPhoto.1" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\ToolboxBitmap32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE,5517" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\Version\ = "9.4" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174} C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\Typelib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\ = "Microsoft Outlook Sender Photo Control" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook.OlkSenderPhotoClass" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\ProgID C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\Typelib C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\Version C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\VersionIndependentProgID\ = "Outlook.OlkSenderPhoto" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\Control C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C266174-2C26-6174-2C26-61742C266174}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\OUTLOOK.EXE\"" C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1112 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 1112 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 1112 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 1112 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 1112 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 1112 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 1112 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 1112 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 276 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe

"C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe"

C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe

"C:\Users\Admin\AppData\Local\Temp\94834e7e0a151b5d762c55a2e4395ef5b0ab33233bcf29fec370b8f5ec062fcf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 macaracar40.no-ip.info udp

Files

memory/1112-54-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/1112-55-0x0000000076031000-0x0000000076033000-memory.dmp

memory/1112-56-0x00000000001B0000-0x00000000001F8000-memory.dmp

memory/1112-61-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/276-64-0x0000000000400000-0x0000000000458000-memory.dmp

memory/276-65-0x0000000000400000-0x0000000000458000-memory.dmp

memory/276-67-0x0000000000400000-0x0000000000458000-memory.dmp

memory/276-69-0x0000000000455EB0-mapping.dmp

memory/276-68-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1112-71-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/1112-72-0x00000000001B1000-0x00000000001DF000-memory.dmp

memory/276-74-0x0000000000400000-0x0000000000458000-memory.dmp

memory/276-75-0x0000000000400000-0x0000000000458000-memory.dmp

memory/276-76-0x0000000000400000-0x0000000000458000-memory.dmp

memory/276-78-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1676-82-0x0000000000000000-mapping.dmp

memory/276-83-0x00000000002F0000-0x0000000000395000-memory.dmp

memory/1676-84-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/276-86-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1676-89-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1676-91-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/276-92-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 5b1c3c59d3881407811c769275d9b4f0
SHA1 b2396b6c604ef7484e5acb279a4df62972c6eee9
SHA256 dbe1ff0617b7d5b058ff28f9f5e8e1a0e4070dd44e4a6e766ba2e09562e28baf
SHA512 d465f44cc4fda2e61823524098cd9d4879306a1c79a043ea64479b1a5d796f38c07d7690173c015e8c15b1048061bc9323c145d7a36fa209a95463fc3611b46f

memory/1676-94-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1676-95-0x0000000024080000-0x00000000240E2000-memory.dmp