Malware Analysis Report

2025-08-10 17:47

Sample ID 221021-h2ryeahah4
Target 8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192
SHA256 8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192
Tags
cybergate china town hi persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192

Threat Level: Known bad

The file 8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192 was found to be: Known bad.

Malicious Activity Summary

cybergate china town hi persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

UPX packed file

Modifies Installed Components in the registry

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-21 07:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-21 07:14

Reported

2022-10-21 16:26

Platform

win7-20220901-en

Max time kernel

151s

Max time network

53s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\javas.exe" C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\javas.exe" C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\javas.exe N/A
N/A N/A C:\Windows\SysWOW64\javas.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3N42BYO6-6S3E-2HN0-86KX-6QB06506447R}\StubPath = "C:\\Windows\\system32\\javas.exe Restart" C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3N42BYO6-6S3E-2HN0-86KX-6QB06506447R} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3N42BYO6-6S3E-2HN0-86KX-6QB06506447R}\StubPath = "C:\\Windows\\system32\\javas.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3N42BYO6-6S3E-2HN0-86KX-6QB06506447R} C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WIN32 = "C:\\Windows\\system32\\javas.exe" C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32 = "C:\\Windows\\system32\\javas.exe" C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\javas.exe C:\Windows\SysWOW64\javas.exe N/A
File created C:\Windows\SysWOW64\javas.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
File opened for modification C:\Windows\SysWOW64\javas.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
File opened for modification C:\Windows\SysWOW64\javas.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
N/A N/A C:\Windows\SysWOW64\javas.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1376 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1376 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1376 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1376 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1376 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1376 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1376 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe

"C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe"

C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe

"C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe

"C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe"

C:\Windows\SysWOW64\javas.exe

"C:\Windows\system32\javas.exe"

C:\Windows\SysWOW64\javas.exe

"C:\Windows\SysWOW64\javas.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp
US 8.8.8.8:53 leofelvoltou.no-ip.org udp

Files

memory/1952-56-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1952-57-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1952-59-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1952-60-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1952-61-0x0000000000455C40-mapping.dmp

memory/1952-63-0x0000000075091000-0x0000000075093000-memory.dmp

memory/1952-64-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1952-65-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1952-66-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1952-68-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1240-71-0x0000000024010000-0x0000000024072000-memory.dmp

memory/764-74-0x0000000000000000-mapping.dmp

memory/764-76-0x00000000749F1000-0x00000000749F3000-memory.dmp

memory/1952-77-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/764-82-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 cf15c57f7ecde39356e7ac5b0ae5faaf
SHA1 2aa6fca7ac341f33fa3e75a6c14485f4aafe9bc0
SHA256 a9ee6545777ce3b4d9fd21543a585f285b06a2a97c64cc43ed1224d2df0abc78
SHA512 512effe9c3241384a1f40eb170dff33ddf1fc2a84cfc0903d62bd064776f0e4835cdc235075c7616194c67116e9f34b01a99daad3a111d0a4bcc4706d47ec70e

C:\Windows\SysWOW64\javas.exe

MD5 48211fdb1c49ea7fcedd4baea0b47e93
SHA1 4ef9e88b1e96bc064cbd3e711b314e70d6af711b
SHA256 8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192
SHA512 a3976b99fd59b9c77bbd8c72fb766c19a45a17727c6f5e1ea5f87d400eb17ed54c11a6a9f6fc59957c754dc77eedc37e285f3d08036e06abc86618c913078eac

memory/764-85-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1952-87-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1148-91-0x0000000000000000-mapping.dmp

memory/1952-93-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/1952-99-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1148-98-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/1148-100-0x0000000024160000-0x00000000241C2000-memory.dmp

\Windows\SysWOW64\javas.exe

MD5 48211fdb1c49ea7fcedd4baea0b47e93
SHA1 4ef9e88b1e96bc064cbd3e711b314e70d6af711b
SHA256 8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192
SHA512 a3976b99fd59b9c77bbd8c72fb766c19a45a17727c6f5e1ea5f87d400eb17ed54c11a6a9f6fc59957c754dc77eedc37e285f3d08036e06abc86618c913078eac

memory/1968-103-0x0000000000000000-mapping.dmp

\Windows\SysWOW64\javas.exe

MD5 48211fdb1c49ea7fcedd4baea0b47e93
SHA1 4ef9e88b1e96bc064cbd3e711b314e70d6af711b
SHA256 8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192
SHA512 a3976b99fd59b9c77bbd8c72fb766c19a45a17727c6f5e1ea5f87d400eb17ed54c11a6a9f6fc59957c754dc77eedc37e285f3d08036e06abc86618c913078eac

C:\Windows\SysWOW64\javas.exe

MD5 48211fdb1c49ea7fcedd4baea0b47e93
SHA1 4ef9e88b1e96bc064cbd3e711b314e70d6af711b
SHA256 8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192
SHA512 a3976b99fd59b9c77bbd8c72fb766c19a45a17727c6f5e1ea5f87d400eb17ed54c11a6a9f6fc59957c754dc77eedc37e285f3d08036e06abc86618c913078eac

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4063495947-34355257-727531523-1000\699c4b9cdebca7aaea5193cae8a50098_8e28fefd-2db0-4dd4-85d7-665f2cf2c74b

MD5 5b63d4dd8c04c88c0e30e494ec6a609a
SHA1 884d5a8bdc25fe794dc22ef9518009dcf0069d09
SHA256 4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd
SHA512 15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

memory/1232-113-0x0000000000455C40-mapping.dmp

C:\Windows\SysWOW64\javas.exe

MD5 48211fdb1c49ea7fcedd4baea0b47e93
SHA1 4ef9e88b1e96bc064cbd3e711b314e70d6af711b
SHA256 8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192
SHA512 a3976b99fd59b9c77bbd8c72fb766c19a45a17727c6f5e1ea5f87d400eb17ed54c11a6a9f6fc59957c754dc77eedc37e285f3d08036e06abc86618c913078eac

memory/1232-117-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1232-118-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1232-119-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1148-120-0x0000000024160000-0x00000000241C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-21 07:14

Reported

2022-10-21 16:26

Platform

win10v2004-20220901-en

Max time kernel

152s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\javas.exe" C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\javas.exe" C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\javas.exe N/A
N/A N/A C:\Windows\SysWOW64\javas.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3N42BYO6-6S3E-2HN0-86KX-6QB06506447R} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3N42BYO6-6S3E-2HN0-86KX-6QB06506447R}\StubPath = "C:\\Windows\\system32\\javas.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3N42BYO6-6S3E-2HN0-86KX-6QB06506447R} C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3N42BYO6-6S3E-2HN0-86KX-6QB06506447R}\StubPath = "C:\\Windows\\system32\\javas.exe Restart" C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WIN32 = "C:\\Windows\\system32\\javas.exe" C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIN32 = "C:\\Windows\\system32\\javas.exe" C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\javas.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
File opened for modification C:\Windows\SysWOW64\javas.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
File opened for modification C:\Windows\SysWOW64\javas.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
File opened for modification C:\Windows\SysWOW64\javas.exe C:\Windows\SysWOW64\javas.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\javas.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe N/A
N/A N/A C:\Windows\SysWOW64\javas.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1984 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1984 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1984 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1984 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1984 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1984 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 1984 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE
PID 3876 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe

"C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe"

C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe

"C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe

"C:\Users\Admin\AppData\Local\Temp\8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192.exe"

C:\Windows\SysWOW64\javas.exe

"C:\Windows\system32\javas.exe"

C:\Windows\SysWOW64\javas.exe

"C:\Windows\SysWOW64\javas.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2192 -ip 2192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 524

Network

Country Destination Domain Proto
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp
US 8.8.8.8:53 leofelvoltou.no-ip.org udp
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp
US 20.189.173.15:443 tcp
FR 2.18.109.224:443 tcp
US 8.8.8.8:53 leofelvoltou.no-ip.org udp
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp
US 8.8.8.8:53 leofelvoltou.no-ip.org udp
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp
US 8.8.8.8:53 leofelvoltou.no-ip.org udp
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp
US 8.8.8.8:53 leofelvoltou.no-ip.org udp
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp
US 8.8.8.8:53 leofelvoltou.no-ip.org udp
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp
US 8.8.8.8:53 leofelvoltou.no-ip.org udp
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp
US 8.8.8.8:53 leofelvoltou.no-ip.org udp
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp
US 8.8.8.8:53 leofelvoltou.no-ip.org udp
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp
US 8.8.8.8:53 leofelvoltou.no-ip.org udp
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp
US 8.8.8.8:53 leofelvoltou.no-ip.org udp
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp
US 8.8.8.8:53 leofelvoltou.no-ip.org udp
US 8.8.8.8:53 leoefelvoltou.no-ip.org udp

Files

memory/3876-135-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3876-134-0x0000000000000000-mapping.dmp

memory/3876-137-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3876-138-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3876-139-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3876-141-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4616-145-0x0000000000000000-mapping.dmp

memory/3876-146-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4616-149-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 cf15c57f7ecde39356e7ac5b0ae5faaf
SHA1 2aa6fca7ac341f33fa3e75a6c14485f4aafe9bc0
SHA256 a9ee6545777ce3b4d9fd21543a585f285b06a2a97c64cc43ed1224d2df0abc78
SHA512 512effe9c3241384a1f40eb170dff33ddf1fc2a84cfc0903d62bd064776f0e4835cdc235075c7616194c67116e9f34b01a99daad3a111d0a4bcc4706d47ec70e

C:\Windows\SysWOW64\javas.exe

MD5 48211fdb1c49ea7fcedd4baea0b47e93
SHA1 4ef9e88b1e96bc064cbd3e711b314e70d6af711b
SHA256 8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192
SHA512 a3976b99fd59b9c77bbd8c72fb766c19a45a17727c6f5e1ea5f87d400eb17ed54c11a6a9f6fc59957c754dc77eedc37e285f3d08036e06abc86618c913078eac

memory/4616-152-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3876-154-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/2208-158-0x0000000000000000-mapping.dmp

memory/3876-159-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/2208-162-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/3876-163-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2208-164-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/1532-165-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\javas.exe

MD5 48211fdb1c49ea7fcedd4baea0b47e93
SHA1 4ef9e88b1e96bc064cbd3e711b314e70d6af711b
SHA256 8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192
SHA512 a3976b99fd59b9c77bbd8c72fb766c19a45a17727c6f5e1ea5f87d400eb17ed54c11a6a9f6fc59957c754dc77eedc37e285f3d08036e06abc86618c913078eac

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-929662420-1054238289-2961194603-1000\699c4b9cdebca7aaea5193cae8a50098_4cfb5922-b036-4c14-9ed1-03c0dad19fbd

MD5 5b63d4dd8c04c88c0e30e494ec6a609a
SHA1 884d5a8bdc25fe794dc22ef9518009dcf0069d09
SHA256 4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd
SHA512 15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

memory/2192-170-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\javas.exe

MD5 48211fdb1c49ea7fcedd4baea0b47e93
SHA1 4ef9e88b1e96bc064cbd3e711b314e70d6af711b
SHA256 8b15a0d2e0da7be8af7d2367751d3ba86ba643fb0f8fa79ab94ab950e3b52192
SHA512 a3976b99fd59b9c77bbd8c72fb766c19a45a17727c6f5e1ea5f87d400eb17ed54c11a6a9f6fc59957c754dc77eedc37e285f3d08036e06abc86618c913078eac

memory/2192-175-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2192-176-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2192-177-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2208-178-0x0000000024160000-0x00000000241C2000-memory.dmp