Malware Analysis Report

2025-08-06 03:52

Sample ID 221030-x43v1sfdf6
Target 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
Tags
cybergate lammer persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4

Threat Level: Known bad

The file 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4 was found to be: Known bad.

Malicious Activity Summary

cybergate lammer persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

UPX packed file

Modifies Installed Components in the registry

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-30 19:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-30 19:25

Reported

2022-10-31 12:16

Platform

win7-20220812-en

Max time kernel

150s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GP06C732-5R7R-8WST-656S-36O7HRB70241} C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GP06C732-5R7R-8WST-656S-36O7HRB70241}\StubPath = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe Restart" C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GP06C732-5R7R-8WST-656S-36O7HRB70241} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GP06C732-5R7R-8WST-656S-36O7HRB70241}\StubPath = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Avirnt = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avgnt = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe N/A
Token: SeDebugPrivilege N/A C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe

"C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe"

C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe

"C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1104-56-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1104-57-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1104-59-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1104-60-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1104-61-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1104-62-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1104-63-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1104-65-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1104-66-0x000000000040BBF0-mapping.dmp

memory/1104-67-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1140-68-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1104-69-0x0000000075F51000-0x0000000075F53000-memory.dmp

memory/1104-70-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1104-71-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1104-73-0x0000000024010000-0x0000000024070000-memory.dmp

memory/1256-76-0x0000000024010000-0x0000000024070000-memory.dmp

memory/2032-79-0x0000000000000000-mapping.dmp

memory/2032-81-0x0000000074711000-0x0000000074713000-memory.dmp

memory/1104-82-0x0000000024070000-0x00000000240D0000-memory.dmp

memory/2032-87-0x0000000024070000-0x00000000240D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 c68cc29c58475f1baa75aa0f0bae0909
SHA1 1deda0c25018a33c1871689437b5c642d08f865d
SHA256 53de59b31221145ad36806caf024d0ea798c39ccb31744ce8b78370e52f09873
SHA512 491a6f065c361064b91d931ed5516771846b6fe8005cc9a0073afee250fdd33d1b39da8869db0e007514f2f321cbfe1d0bf745870f8dca35cae2871146fcf113

\??\c:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/2032-90-0x0000000024070000-0x00000000240D0000-memory.dmp

\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/1280-93-0x0000000000000000-mapping.dmp

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/1104-95-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1068-108-0x000000000040BBF0-mapping.dmp

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/1280-111-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1068-113-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1068-114-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1388-116-0x0000000000000000-mapping.dmp

\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/1644-130-0x000000000040BBF0-mapping.dmp

memory/1388-133-0x0000000000400000-0x000000000040E000-memory.dmp

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/2032-136-0x0000000002ED0000-0x0000000002EDE000-memory.dmp

memory/1644-137-0x0000000000400000-0x000000000044E000-memory.dmp

memory/304-139-0x0000000000000000-mapping.dmp

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/304-141-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1068-143-0x0000000024010000-0x0000000024070000-memory.dmp

memory/1068-149-0x0000000000400000-0x000000000044E000-memory.dmp

memory/304-148-0x0000000024010000-0x0000000024070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 0d0a32cd034035a9809326d96598b825
SHA1 f9148b07f2f9c7e17329b460b9579a3f8f0233d5
SHA256 44c11412ad0a5dfdcab7c3a69f88ddae713e8a17218bde8064cb8eb3c1a04ab4
SHA512 84588fac42fd1a434802d8e9722a54caad08ddfdc8d77a8cad4af680e923675798889ecc33de47d858804a28fe071b777874f7c0f18012c198bcf61ef71ad3f7

memory/916-151-0x0000000000000000-mapping.dmp

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/1924-165-0x000000000040BBF0-mapping.dmp

memory/916-166-0x0000000000400000-0x000000000040E000-memory.dmp

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/1924-171-0x0000000000400000-0x000000000044E000-memory.dmp

memory/304-172-0x0000000024010000-0x0000000024070000-memory.dmp

memory/1924-173-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1644-174-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2032-175-0x0000000002ED0000-0x0000000002EDE000-memory.dmp

memory/304-176-0x0000000024010000-0x0000000024070000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-30 19:25

Reported

2022-10-31 12:17

Platform

win10v2004-20220812-en

Max time kernel

170s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GP06C732-5R7R-8WST-656S-36O7HRB70241} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GP06C732-5R7R-8WST-656S-36O7HRB70241}\StubPath = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GP06C732-5R7R-8WST-656S-36O7HRB70241} C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GP06C732-5R7R-8WST-656S-36O7HRB70241}\StubPath = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe Restart" C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avgnt = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Avirnt = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe N/A
Token: SeDebugPrivilege N/A C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3688 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 3688 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 3688 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 3688 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 3688 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 3688 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 3688 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 3688 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 3688 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 3688 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 3688 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 3688 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 3688 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE
PID 2372 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe C:\Windows\Explorer.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe

"C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe

"C:\Users\Admin\AppData\Local\Temp\6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3036 -ip 3036

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 532

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 20.189.173.1:443 tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3688-137-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2372-138-0x0000000000000000-mapping.dmp

memory/2372-140-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2372-139-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3688-141-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2372-142-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2372-143-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2372-145-0x0000000024010000-0x0000000024070000-memory.dmp

memory/4668-149-0x0000000000000000-mapping.dmp

memory/4668-153-0x0000000024070000-0x00000000240D0000-memory.dmp

memory/2372-150-0x0000000024070000-0x00000000240D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 c68cc29c58475f1baa75aa0f0bae0909
SHA1 1deda0c25018a33c1871689437b5c642d08f865d
SHA256 53de59b31221145ad36806caf024d0ea798c39ccb31744ce8b78370e52f09873
SHA512 491a6f065c361064b91d931ed5516771846b6fe8005cc9a0073afee250fdd33d1b39da8869db0e007514f2f321cbfe1d0bf745870f8dca35cae2871146fcf113

\??\c:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/4668-156-0x0000000024070000-0x00000000240D0000-memory.dmp

memory/2372-159-0x0000000000400000-0x000000000044E000-memory.dmp

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/1080-157-0x0000000000000000-mapping.dmp

memory/1080-166-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4208-167-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4208-168-0x0000000000400000-0x000000000044E000-memory.dmp

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/4208-162-0x0000000000000000-mapping.dmp

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/1648-170-0x0000000000000000-mapping.dmp

memory/1648-176-0x0000000024010000-0x0000000024070000-memory.dmp

memory/1648-175-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4208-177-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 0d0a32cd034035a9809326d96598b825
SHA1 f9148b07f2f9c7e17329b460b9579a3f8f0233d5
SHA256 44c11412ad0a5dfdcab7c3a69f88ddae713e8a17218bde8064cb8eb3c1a04ab4
SHA512 84588fac42fd1a434802d8e9722a54caad08ddfdc8d77a8cad4af680e923675798889ecc33de47d858804a28fe071b777874f7c0f18012c198bcf61ef71ad3f7

memory/4208-172-0x0000000024010000-0x0000000024070000-memory.dmp

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/4612-179-0x0000000000000000-mapping.dmp

memory/3036-183-0x0000000000000000-mapping.dmp

memory/4612-186-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3036-188-0x0000000000400000-0x000000000044E000-memory.dmp

C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

MD5 824b3506d2ab0f74351789f19e4afe80
SHA1 7429041f3cbbe23f2445cbd34d4baa80ff171a94
SHA256 6394153c75d25ed54cf47ccdfccf28a0e230aa6d08fc3168616cd967619cd5f4
SHA512 4ce0380ee22f9d294391d7f57707d74066a685a24c4dfe9c4203adf1836f80eef556b6fcca8c27f44baabc22db04c2495af6f58787dd51a9ce1bcd850c6af003

memory/3036-190-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1648-189-0x0000000024010000-0x0000000024070000-memory.dmp

memory/1648-191-0x0000000024010000-0x0000000024070000-memory.dmp