Malware Analysis Report

2025-08-10 17:47

Sample ID 221021-jxhplsaeek
Target 2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe
SHA256 2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe
Tags
cybergate server persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe

Threat Level: Known bad

The file 2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe was found to be: Known bad.

Malicious Activity Summary

cybergate server persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

UPX packed file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-21 08:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-21 08:02

Reported

2022-10-21 17:26

Platform

win7-20220812-en

Max time kernel

152s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Installer\\taskmgr.exe" C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Installer\\taskmgr.exe" C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Installer\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Installer\taskmgr.EXE N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0M187M3-Q7CS-B438-J005-5W355T6K602G} C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0M187M3-Q7CS-B438-J005-5W355T6K602G}\StubPath = "C:\\Windows\\system32\\Installer\\taskmgr.exe Restart" C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0M187M3-Q7CS-B438-J005-5W355T6K602G} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0M187M3-Q7CS-B438-J005-5W355T6K602G}\StubPath = "C:\\Windows\\system32\\Installer\\taskmgr.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Installer\\taskmgr.exe" C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Installer\\taskmgr.exe" C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Installer\ C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
File opened for modification C:\Windows\SysWOW64\Installer\taskmgr.EXE C:\Windows\SysWOW64\Installer\taskmgr.exe N/A
File created C:\Windows\SysWOW64\Installer\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
File opened for modification C:\Windows\SysWOW64\Installer\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
File opened for modification C:\Windows\SysWOW64\Installer\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Installer\taskmgr.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 1264 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 916 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe

"C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe"

C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE

"C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE

"C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE"

C:\Windows\SysWOW64\Installer\taskmgr.exe

"C:\Windows\system32\Installer\taskmgr.exe"

C:\Windows\SysWOW64\Installer\taskmgr.EXE

"C:\Windows\SysWOW64\Installer\taskmgr.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ncn.dyndns.tv udp
US 8.8.8.8:53 adsll.no-ip.org udp

Files

memory/1264-54-0x0000000076711000-0x0000000076713000-memory.dmp

memory/916-57-0x0000000000400000-0x0000000000450000-memory.dmp

memory/916-58-0x000000000040BBF4-mapping.dmp

memory/916-59-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1264-60-0x0000000000400000-0x00000000007A5000-memory.dmp

memory/916-62-0x0000000000400000-0x0000000000450000-memory.dmp

memory/916-63-0x0000000000400000-0x0000000000450000-memory.dmp

memory/916-65-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1232-68-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1752-71-0x0000000000000000-mapping.dmp

memory/1752-73-0x0000000075331000-0x0000000075333000-memory.dmp

memory/916-74-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1752-79-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 033df6795e279c527784717204112afe
SHA1 db981763475890e8f5f21ae72be7e4c20384ac86
SHA256 6938dd59f79bc92bcf3e8643e83e354c31e35547f19e826d0af72637cdd8ee5d
SHA512 a5a82c0713899aa9dd7346c77d6dcaaef42377e410ddaa95ddde81144e3fdeee9db316bd4b1147e0c26d9e8b25cf7e9c1093f28d9ee5c083a68d0ec4b3724d50

C:\Windows\SysWOW64\Installer\taskmgr.exe

MD5 49dceb9bc4f10b3492d28554a6cc747f
SHA1 0052331ebaf4abc2373597faadd0e4818f3606af
SHA256 2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe
SHA512 e1cb037eccbb09b8a6b5bf9d1d578d5b06f3911e5f3e05c539d7da8e1e063443d252ba8ece2ae4265d9e7dae532fffcc6632c60d611dd5172f2b75bc3fb8aad5

memory/1752-82-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1052-84-0x0000000000000000-mapping.dmp

memory/916-86-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1052-91-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/916-92-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1052-93-0x0000000000400000-0x00000000007A5000-memory.dmp

\Windows\SysWOW64\Installer\taskmgr.exe

MD5 49dceb9bc4f10b3492d28554a6cc747f
SHA1 0052331ebaf4abc2373597faadd0e4818f3606af
SHA256 2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe
SHA512 e1cb037eccbb09b8a6b5bf9d1d578d5b06f3911e5f3e05c539d7da8e1e063443d252ba8ece2ae4265d9e7dae532fffcc6632c60d611dd5172f2b75bc3fb8aad5

C:\Windows\SysWOW64\Installer\taskmgr.exe

MD5 49dceb9bc4f10b3492d28554a6cc747f
SHA1 0052331ebaf4abc2373597faadd0e4818f3606af
SHA256 2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe
SHA512 e1cb037eccbb09b8a6b5bf9d1d578d5b06f3911e5f3e05c539d7da8e1e063443d252ba8ece2ae4265d9e7dae532fffcc6632c60d611dd5172f2b75bc3fb8aad5

memory/1012-97-0x0000000000000000-mapping.dmp

\Windows\SysWOW64\Installer\taskmgr.exe

MD5 49dceb9bc4f10b3492d28554a6cc747f
SHA1 0052331ebaf4abc2373597faadd0e4818f3606af
SHA256 2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe
SHA512 e1cb037eccbb09b8a6b5bf9d1d578d5b06f3911e5f3e05c539d7da8e1e063443d252ba8ece2ae4265d9e7dae532fffcc6632c60d611dd5172f2b75bc3fb8aad5

memory/1052-94-0x00000000240F0000-0x0000000024152000-memory.dmp

\??\c:\users\admin\appdata\local\temp\EF67EAF9

MD5 2589ff665bc52e79071ff0f5688bc553
SHA1 d3411b3103044bf36ca303a703153d675e62edc0
SHA256 d4351692cd166f4af4f73e76b895a6aedb096ddbac0cf80835bd16da4039a314
SHA512 41693f1b24d9e4aa09a920ccd910d70e24e14665c3d1127c0dbb345d25ac3b96d2164437555f2b66151d0c7ce2873c61898d173c65135bdff9e813223d9b0fec

memory/1740-104-0x000000000040BBF4-mapping.dmp

memory/1012-107-0x0000000000400000-0x00000000007A5000-memory.dmp

C:\Windows\SysWOW64\Installer\taskmgr.exe

MD5 49dceb9bc4f10b3492d28554a6cc747f
SHA1 0052331ebaf4abc2373597faadd0e4818f3606af
SHA256 2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe
SHA512 e1cb037eccbb09b8a6b5bf9d1d578d5b06f3911e5f3e05c539d7da8e1e063443d252ba8ece2ae4265d9e7dae532fffcc6632c60d611dd5172f2b75bc3fb8aad5

memory/1740-109-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1052-110-0x0000000007000000-0x00000000073A5000-memory.dmp

memory/1740-111-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1740-112-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1052-113-0x00000000240F0000-0x0000000024152000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-21 08:02

Reported

2022-10-21 17:26

Platform

win10v2004-20220812-en

Max time kernel

153s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Installer\\taskmgr.exe" C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Installer\\taskmgr.exe" C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Installer\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Installer\taskmgr.EXE N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0M187M3-Q7CS-B438-J005-5W355T6K602G}\StubPath = "C:\\Windows\\system32\\Installer\\taskmgr.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0M187M3-Q7CS-B438-J005-5W355T6K602G} C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0M187M3-Q7CS-B438-J005-5W355T6K602G}\StubPath = "C:\\Windows\\system32\\Installer\\taskmgr.exe Restart" C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0M187M3-Q7CS-B438-J005-5W355T6K602G} C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Installer\\taskmgr.exe" C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Installer\\taskmgr.exe" C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Installer\taskmgr.EXE C:\Windows\SysWOW64\Installer\taskmgr.exe N/A
File created C:\Windows\SysWOW64\Installer\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
File opened for modification C:\Windows\SysWOW64\Installer\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
File opened for modification C:\Windows\SysWOW64\Installer\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
File opened for modification C:\Windows\SysWOW64\Installer\ C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Installer\taskmgr.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Installer\taskmgr.EXE

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE
PID 4460 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe

"C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.exe"

C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE

"C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE

"C:\Users\Admin\AppData\Local\Temp\2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe.EXE"

C:\Windows\SysWOW64\Installer\taskmgr.exe

"C:\Windows\system32\Installer\taskmgr.exe"

C:\Windows\SysWOW64\Installer\taskmgr.EXE

"C:\Windows\SysWOW64\Installer\taskmgr.EXE"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2276 -ip 2276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 564

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 ncn.dyndns.tv udp
US 8.8.8.8:53 adsll.no-ip.org udp
NL 13.69.109.130:443 tcp
US 8.8.8.8:53 ncn.dyndns.tv udp
US 8.8.8.8:53 adsll.no-ip.org udp
US 8.8.8.8:53 ncn.dyndns.tv udp
US 8.8.8.8:53 adsll.no-ip.org udp
US 8.8.8.8:53 ncn.dyndns.tv udp
US 8.8.8.8:53 adsll.no-ip.org udp
US 8.8.8.8:53 ncn.dyndns.tv udp
US 8.8.8.8:53 adsll.no-ip.org udp
US 8.8.8.8:53 ncn.dyndns.tv udp
US 8.8.8.8:53 ncn.dyndns.tv udp
US 8.8.8.8:53 adsll.no-ip.org udp
US 8.8.8.8:53 ncn.dyndns.tv udp
US 8.8.8.8:53 adsll.no-ip.org udp
US 8.8.8.8:53 ncn.dyndns.tv udp
US 8.8.8.8:53 adsll.no-ip.org udp
US 8.8.8.8:53 ncn.dyndns.tv udp
US 8.8.8.8:53 adsll.no-ip.org udp
US 8.8.8.8:53 ncn.dyndns.tv udp

Files

memory/4892-132-0x0000000000400000-0x00000000007A5000-memory.dmp

memory/4892-133-0x0000000000400000-0x00000000007A5000-memory.dmp

memory/4460-136-0x0000000000000000-mapping.dmp

memory/4460-137-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4460-138-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4892-140-0x0000000000400000-0x00000000007A5000-memory.dmp

memory/4460-139-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4460-141-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4460-143-0x0000000024010000-0x0000000024072000-memory.dmp

memory/2188-147-0x0000000000000000-mapping.dmp

memory/4460-148-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2188-151-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Windows\SysWOW64\Installer\taskmgr.exe

MD5 49dceb9bc4f10b3492d28554a6cc747f
SHA1 0052331ebaf4abc2373597faadd0e4818f3606af
SHA256 2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe
SHA512 e1cb037eccbb09b8a6b5bf9d1d578d5b06f3911e5f3e05c539d7da8e1e063443d252ba8ece2ae4265d9e7dae532fffcc6632c60d611dd5172f2b75bc3fb8aad5

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 033df6795e279c527784717204112afe
SHA1 db981763475890e8f5f21ae72be7e4c20384ac86
SHA256 6938dd59f79bc92bcf3e8643e83e354c31e35547f19e826d0af72637cdd8ee5d
SHA512 a5a82c0713899aa9dd7346c77d6dcaaef42377e410ddaa95ddde81144e3fdeee9db316bd4b1147e0c26d9e8b25cf7e9c1093f28d9ee5c083a68d0ec4b3724d50

memory/2188-154-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1388-156-0x0000000000000000-mapping.dmp

memory/4460-157-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1388-161-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/4460-160-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1388-162-0x0000000000400000-0x00000000007A5000-memory.dmp

memory/1388-163-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/3480-164-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\Installer\taskmgr.exe

MD5 49dceb9bc4f10b3492d28554a6cc747f
SHA1 0052331ebaf4abc2373597faadd0e4818f3606af
SHA256 2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe
SHA512 e1cb037eccbb09b8a6b5bf9d1d578d5b06f3911e5f3e05c539d7da8e1e063443d252ba8ece2ae4265d9e7dae532fffcc6632c60d611dd5172f2b75bc3fb8aad5

memory/3480-166-0x0000000000400000-0x00000000007A5000-memory.dmp

\??\c:\users\admin\appdata\local\temp\EF67EAF9

MD5 2589ff665bc52e79071ff0f5688bc553
SHA1 d3411b3103044bf36ca303a703153d675e62edc0
SHA256 d4351692cd166f4af4f73e76b895a6aedb096ddbac0cf80835bd16da4039a314
SHA512 41693f1b24d9e4aa09a920ccd910d70e24e14665c3d1127c0dbb345d25ac3b96d2164437555f2b66151d0c7ce2873c61898d173c65135bdff9e813223d9b0fec

memory/2276-170-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\Installer\taskmgr.exe

MD5 49dceb9bc4f10b3492d28554a6cc747f
SHA1 0052331ebaf4abc2373597faadd0e4818f3606af
SHA256 2e5b2cf7c8a4907cb364c686b07ef31d7c3458e20ed7c700e08d503d3c41a8fe
SHA512 e1cb037eccbb09b8a6b5bf9d1d578d5b06f3911e5f3e05c539d7da8e1e063443d252ba8ece2ae4265d9e7dae532fffcc6632c60d611dd5172f2b75bc3fb8aad5

memory/3480-175-0x0000000000400000-0x00000000007A5000-memory.dmp

memory/2276-174-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2276-176-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1388-177-0x00000000240F0000-0x0000000024152000-memory.dmp