Malware Analysis Report

2025-08-06 03:51

Sample ID 221030-yadvgafgb8
Target cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4
SHA256 cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4
Tags
cybergate rrrrrrrrrrrrrrrrrrrr persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4

Threat Level: Known bad

The file cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4 was found to be: Known bad.

Malicious Activity Summary

cybergate rrrrrrrrrrrrrrrrrrrr persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

UPX packed file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-30 19:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-30 19:34

Reported

2022-10-31 12:29

Platform

win7-20220812-en

Max time kernel

152s

Max time network

46s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\sssssssssssssss\\windows.exe" C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\sssssssssssssss\\windows.exe" C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\sssssssssssssss\windows.exe N/A
N/A N/A C:\Program Files (x86)\sssssssssssssss\windows.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "C:\\Program Files (x86)\\sssssssssssssss\\windows.exe Restart" C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "C:\\Program Files (x86)\\sssssssssssssss\\windows.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\sssssssssssssss\windows.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
File opened for modification C:\Program Files (x86)\sssssssssssssss\windows.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 1904 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 1904 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 1904 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 1904 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 1904 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 1904 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 1904 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 1904 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 1904 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 1904 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 1904 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe

"C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe"

C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe

C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe

"C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe"

C:\Program Files (x86)\sssssssssssssss\windows.exe

"C:\Program Files (x86)\sssssssssssssss\windows.exe"

C:\Program Files (x86)\sssssssssssssss\windows.exe

"C:\Program Files (x86)\sssssssssssssss\windows.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp

Files

memory/1624-56-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1624-57-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1624-59-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1624-60-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1624-61-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1624-62-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1624-63-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1624-65-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1624-66-0x000000000040BBF4-mapping.dmp

memory/1624-67-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1624-68-0x0000000075501000-0x0000000075503000-memory.dmp

memory/1624-69-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1624-70-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1624-72-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1224-75-0x0000000024010000-0x0000000024072000-memory.dmp

memory/948-78-0x0000000000000000-mapping.dmp

memory/948-80-0x0000000074C51000-0x0000000074C53000-memory.dmp

memory/1624-81-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/948-86-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/948-87-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1976-89-0x0000000000000000-mapping.dmp

memory/1624-91-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1624-97-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1976-96-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1976-98-0x00000000240F0000-0x0000000024152000-memory.dmp

C:\Program Files (x86)\sssssssssssssss\windows.exe

MD5 a1ae6ded263b40837f428992c07edfdf
SHA1 88b2e10d50d28347b177520f568f5cac1e232f13
SHA256 cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4
SHA512 a755c09cbf241a67b5c722f8486684ecbfbaa8c2503a6dce86514b6306de2968c8a785bb68d2b92cc08c96a06c1b4ae1c0432578b6388d277a17696f6c5574a1

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 5be8bae4d399935f088e57d3befeaf28
SHA1 965463d4f1ffe89ee82197b96ac9daa1b5b70d69
SHA256 f71ae20887476c5252ed9fe0b65f602e67af80bb3fc1880839c6040745795818
SHA512 a274ab7e16a294558e1c5104eb0a114feb3c0928f556bf68de01f616790149b71fd003348d86a013c6adbe5ae95348a2ae423dffb018b210cf7f007e3616290c

\Program Files (x86)\sssssssssssssss\windows.exe

MD5 a1ae6ded263b40837f428992c07edfdf
SHA1 88b2e10d50d28347b177520f568f5cac1e232f13
SHA256 cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4
SHA512 a755c09cbf241a67b5c722f8486684ecbfbaa8c2503a6dce86514b6306de2968c8a785bb68d2b92cc08c96a06c1b4ae1c0432578b6388d277a17696f6c5574a1

memory/1016-103-0x0000000000000000-mapping.dmp

\Program Files (x86)\sssssssssssssss\windows.exe

MD5 a1ae6ded263b40837f428992c07edfdf
SHA1 88b2e10d50d28347b177520f568f5cac1e232f13
SHA256 cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4
SHA512 a755c09cbf241a67b5c722f8486684ecbfbaa8c2503a6dce86514b6306de2968c8a785bb68d2b92cc08c96a06c1b4ae1c0432578b6388d277a17696f6c5574a1

C:\Program Files (x86)\sssssssssssssss\windows.exe

MD5 a1ae6ded263b40837f428992c07edfdf
SHA1 88b2e10d50d28347b177520f568f5cac1e232f13
SHA256 cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4
SHA512 a755c09cbf241a67b5c722f8486684ecbfbaa8c2503a6dce86514b6306de2968c8a785bb68d2b92cc08c96a06c1b4ae1c0432578b6388d277a17696f6c5574a1

memory/612-117-0x000000000040BBF4-mapping.dmp

C:\Program Files (x86)\sssssssssssssss\windows.exe

MD5 a1ae6ded263b40837f428992c07edfdf
SHA1 88b2e10d50d28347b177520f568f5cac1e232f13
SHA256 cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4
SHA512 a755c09cbf241a67b5c722f8486684ecbfbaa8c2503a6dce86514b6306de2968c8a785bb68d2b92cc08c96a06c1b4ae1c0432578b6388d277a17696f6c5574a1

memory/612-121-0x0000000000400000-0x000000000044E000-memory.dmp

memory/612-122-0x0000000000400000-0x000000000044E000-memory.dmp

memory/612-123-0x0000000000400000-0x000000000044E000-memory.dmp

memory/948-124-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1976-125-0x00000000240F0000-0x0000000024152000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-30 19:34

Reported

2022-10-31 12:28

Platform

win10v2004-20220901-en

Max time kernel

151s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\sssssssssssssss\\windows.exe" C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\sssssssssssssss\\windows.exe" C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\sssssssssssssss\windows.exe N/A
N/A N/A C:\Program Files (x86)\sssssssssssssss\windows.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "C:\\Program Files (x86)\\sssssssssssssss\\windows.exe Restart" C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "C:\\Program Files (x86)\\sssssssssssssss\\windows.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\sssssssssssssss\windows.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
File opened for modification C:\Program Files (x86)\sssssssssssssss\windows.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\sssssssssssssss\windows.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4152 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 4152 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 4152 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 4152 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 4152 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 4152 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 4152 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 4152 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 4152 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 4152 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 4152 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 4152 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 4152 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe

"C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe"

C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe

C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe

"C:\Users\Admin\AppData\Local\Temp\cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4.exe"

C:\Program Files (x86)\sssssssssssssss\windows.exe

"C:\Program Files (x86)\sssssssssssssss\windows.exe"

C:\Program Files (x86)\sssssssssssssss\windows.exe

"C:\Program Files (x86)\sssssssssssssss\windows.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4560 -ip 4560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 544

Network

Country Destination Domain Proto
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
US 52.182.141.63:443 tcp
FR 2.18.109.224:443 tcp
N/A 127.0.0.1:288 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
US 93.184.221.240:80 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp
N/A 127.0.0.1:288 tcp

Files

memory/4924-134-0x0000000000000000-mapping.dmp

memory/4924-135-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4924-136-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4924-137-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4924-138-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4924-140-0x0000000024010000-0x0000000024072000-memory.dmp

memory/364-144-0x0000000000000000-mapping.dmp

memory/4924-145-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/364-148-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Program Files (x86)\sssssssssssssss\windows.exe

MD5 a1ae6ded263b40837f428992c07edfdf
SHA1 88b2e10d50d28347b177520f568f5cac1e232f13
SHA256 cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4
SHA512 a755c09cbf241a67b5c722f8486684ecbfbaa8c2503a6dce86514b6306de2968c8a785bb68d2b92cc08c96a06c1b4ae1c0432578b6388d277a17696f6c5574a1

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 5be8bae4d399935f088e57d3befeaf28
SHA1 965463d4f1ffe89ee82197b96ac9daa1b5b70d69
SHA256 f71ae20887476c5252ed9fe0b65f602e67af80bb3fc1880839c6040745795818
SHA512 a274ab7e16a294558e1c5104eb0a114feb3c0928f556bf68de01f616790149b71fd003348d86a013c6adbe5ae95348a2ae423dffb018b210cf7f007e3616290c

memory/364-151-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3860-153-0x0000000000000000-mapping.dmp

memory/4924-154-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/4924-158-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3860-157-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/3860-159-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1532-160-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\sssssssssssssss\windows.exe

MD5 a1ae6ded263b40837f428992c07edfdf
SHA1 88b2e10d50d28347b177520f568f5cac1e232f13
SHA256 cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4
SHA512 a755c09cbf241a67b5c722f8486684ecbfbaa8c2503a6dce86514b6306de2968c8a785bb68d2b92cc08c96a06c1b4ae1c0432578b6388d277a17696f6c5574a1

memory/4560-164-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\sssssssssssssss\windows.exe

MD5 a1ae6ded263b40837f428992c07edfdf
SHA1 88b2e10d50d28347b177520f568f5cac1e232f13
SHA256 cda6d356bac8e57db4f61998e0de6bd402782c49dd2912625619503d25a9f5b4
SHA512 a755c09cbf241a67b5c722f8486684ecbfbaa8c2503a6dce86514b6306de2968c8a785bb68d2b92cc08c96a06c1b4ae1c0432578b6388d277a17696f6c5574a1

memory/4560-168-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4560-169-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3860-170-0x00000000240F0000-0x0000000024152000-memory.dmp