Malware Analysis Report

2025-08-06 03:52

Sample ID 221030-ymg3nahdfl
Target 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
Tags
upx cybergate fucked persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb

Threat Level: Known bad

The file 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb was found to be: Known bad.

Malicious Activity Summary

upx cybergate fucked persistence stealer trojan

CyberGate, Rebhip

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Adds policy Run key to start application

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-30 19:54

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-30 19:54

Reported

2022-10-31 12:56

Platform

win7-20220901-en

Max time kernel

151s

Max time network

56s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\svchosts\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\svchosts\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchosts\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchosts\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{UU50F136-00E3-6458-8G7T-2XKLPAKG65V7} C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{UU50F136-00E3-6458-8G7T-2XKLPAKG65V7}\StubPath = "C:\\Windows\\system32\\svchosts\\svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{UU50F136-00E3-6458-8G7T-2XKLPAKG65V7} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{UU50F136-00E3-6458-8G7T-2XKLPAKG65V7}\StubPath = "C:\\Windows\\system32\\svchosts\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchosts = "C:\\Windows\\system32\\svchosts\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchosts = "C:\\Windows\\system32\\svchosts\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\svchosts\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\svchosts\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\svchosts\svchost.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
File opened for modification C:\Windows\SysWOW64\svchosts\svchost.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
File opened for modification C:\Windows\SysWOW64\svchosts\svchost.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
File opened for modification C:\Windows\SysWOW64\svchosts\ C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 2024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 2024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 2024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 2024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 2024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 2024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 2024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 2024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 2024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 2024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe

"C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe"

C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe

C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe

"C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe"

C:\Windows\SysWOW64\svchosts\svchost.exe

"C:\Windows\system32\svchosts\svchost.exe"

C:\Windows\SysWOW64\svchosts\svchost.exe

C:\Windows\SysWOW64\svchosts\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 hitman54.no-ip.biz udp
US 8.8.8.8:53 silentassassin47.no-ip.biz udp
US 8.8.8.8:53 silentassassin54.no-ip.biz udp
US 8.8.8.8:53 hitman47.no-ip.biz udp

Files

memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

memory/2024-57-0x0000000000400000-0x0000000000696000-memory.dmp

memory/2024-58-0x0000000000FD0000-0x0000000001266000-memory.dmp

memory/2028-59-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2028-60-0x000000000040A0C4-mapping.dmp

memory/2028-62-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2028-65-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2028-66-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2028-67-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2028-68-0x0000000000C10000-0x0000000000EA6000-memory.dmp

memory/2028-69-0x0000000000C10000-0x0000000000EA6000-memory.dmp

memory/2028-70-0x0000000000C10000-0x0000000000EA6000-memory.dmp

memory/2028-71-0x0000000000240000-0x0000000000243000-memory.dmp

memory/2028-73-0x0000000010410000-0x0000000010482000-memory.dmp

memory/1368-76-0x0000000010410000-0x0000000010482000-memory.dmp

memory/336-79-0x0000000000000000-mapping.dmp

memory/336-81-0x0000000074CC1000-0x0000000074CC3000-memory.dmp

memory/2028-82-0x0000000010490000-0x0000000010502000-memory.dmp

memory/336-87-0x0000000010490000-0x0000000010502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 3b963bd15bb9ed1521498e1d2f0f5d17
SHA1 59efc19d28dcb518cc8db7447fed8c16c10b754e
SHA256 98e875c354d30677377ea66e55e7a0f128bb32a09556d07b5248374aff38e0a4
SHA512 400a4413cd72c15e57934976b762e06b512919bc4894990538aeff27f33ea27c92ab3543bd9c2b1617d02f76f05b24029cead0567bc3060bf495ca1952b3ab9a

C:\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

memory/336-90-0x0000000010490000-0x0000000010502000-memory.dmp

memory/2028-92-0x0000000000380000-0x00000000003F2000-memory.dmp

memory/816-96-0x0000000000000000-mapping.dmp

memory/2028-98-0x0000000010510000-0x0000000010582000-memory.dmp

memory/816-103-0x0000000010510000-0x0000000010582000-memory.dmp

memory/2028-104-0x00000000022E0000-0x0000000002576000-memory.dmp

memory/816-105-0x0000000000400000-0x0000000000696000-memory.dmp

memory/816-106-0x0000000000DA0000-0x0000000001036000-memory.dmp

memory/816-107-0x0000000000DA0000-0x0000000001036000-memory.dmp

memory/816-108-0x0000000000DA0000-0x0000000001036000-memory.dmp

memory/816-109-0x0000000010510000-0x0000000010582000-memory.dmp

\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

memory/1764-111-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

memory/2028-117-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2028-118-0x0000000004420000-0x00000000046B6000-memory.dmp

memory/1764-121-0x0000000000400000-0x0000000000696000-memory.dmp

memory/1764-122-0x0000000000C00000-0x0000000000E96000-memory.dmp

memory/1764-123-0x0000000000C00000-0x0000000000E96000-memory.dmp

\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

C:\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

memory/464-126-0x000000000040A0C4-mapping.dmp

\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

memory/2024-137-0x0000000000400000-0x0000000000696000-memory.dmp

memory/1764-138-0x0000000003220000-0x00000000034B6000-memory.dmp

memory/464-139-0x0000000000400000-0x000000000044E000-memory.dmp

memory/464-140-0x0000000000A70000-0x0000000000D06000-memory.dmp

memory/464-141-0x0000000000A70000-0x0000000000D06000-memory.dmp

memory/464-142-0x00000000001E0000-0x00000000001E3000-memory.dmp

memory/464-143-0x0000000000400000-0x000000000044E000-memory.dmp

memory/816-144-0x0000000010510000-0x0000000010582000-memory.dmp

memory/2028-145-0x0000000004420000-0x00000000046B6000-memory.dmp

memory/1764-146-0x0000000000400000-0x0000000000696000-memory.dmp

memory/1764-147-0x0000000000C00000-0x0000000000E96000-memory.dmp

memory/1764-148-0x0000000003220000-0x00000000034B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-30 19:54

Reported

2022-10-31 12:56

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\svchosts\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\svchosts\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchosts\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchosts\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{UU50F136-00E3-6458-8G7T-2XKLPAKG65V7} C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{UU50F136-00E3-6458-8G7T-2XKLPAKG65V7}\StubPath = "C:\\Windows\\system32\\svchosts\\svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{UU50F136-00E3-6458-8G7T-2XKLPAKG65V7} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{UU50F136-00E3-6458-8G7T-2XKLPAKG65V7}\StubPath = "C:\\Windows\\system32\\svchosts\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchosts = "C:\\Windows\\system32\\svchosts\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchosts = "C:\\Windows\\system32\\svchosts\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\svchosts\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\svchosts\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\svchosts\svchost.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
File opened for modification C:\Windows\SysWOW64\svchosts\svchost.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
File opened for modification C:\Windows\SysWOW64\svchosts\svchost.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A
File opened for modification C:\Windows\SysWOW64\svchosts\ C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 4284 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 4284 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 4284 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 4284 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 4284 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 4284 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE
PID 2436 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe

"C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe"

C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe

C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe

"C:\Users\Admin\AppData\Local\Temp\1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb.exe"

C:\Windows\SysWOW64\svchosts\svchost.exe

"C:\Windows\system32\svchosts\svchost.exe"

C:\Windows\SysWOW64\svchosts\svchost.exe

C:\Windows\SysWOW64\svchosts\svchost.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
IE 52.109.77.0:443 tcp
US 8.8.8.8:53 hitman54.no-ip.biz udp
US 8.8.8.8:53 silentassassin47.no-ip.biz udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 silentassassin54.no-ip.biz udp
US 8.8.8.8:53 hitman47.no-ip.biz udp
US 8.8.8.8:53 hitman54.no-ip.biz udp
US 8.8.8.8:53 silentassassin47.no-ip.biz udp
US 8.8.8.8:53 silentassassin54.no-ip.biz udp
US 8.8.8.8:53 hitman47.no-ip.biz udp
US 8.8.8.8:53 hitman54.no-ip.biz udp
US 8.8.8.8:53 silentassassin47.no-ip.biz udp
US 8.8.8.8:53 silentassassin54.no-ip.biz udp
US 8.8.8.8:53 hitman47.no-ip.biz udp
US 8.8.8.8:53 hitman54.no-ip.biz udp
US 8.8.8.8:53 silentassassin47.no-ip.biz udp
US 8.8.8.8:53 silentassassin54.no-ip.biz udp
US 8.8.8.8:53 hitman47.no-ip.biz udp
US 8.8.8.8:53 hitman54.no-ip.biz udp
US 8.8.8.8:53 silentassassin47.no-ip.biz udp
US 8.8.8.8:53 silentassassin54.no-ip.biz udp
US 8.8.8.8:53 hitman47.no-ip.biz udp
US 8.8.8.8:53 hitman54.no-ip.biz udp
US 8.8.8.8:53 silentassassin47.no-ip.biz udp
US 8.8.8.8:53 silentassassin54.no-ip.biz udp
US 8.8.8.8:53 hitman47.no-ip.biz udp

Files

memory/4284-132-0x0000000000400000-0x0000000000696000-memory.dmp

memory/2436-135-0x0000000000000000-mapping.dmp

memory/2436-136-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2436-138-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2436-139-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2436-140-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2436-141-0x00000000005C0000-0x00000000005C3000-memory.dmp

memory/2436-143-0x0000000010410000-0x0000000010482000-memory.dmp

memory/4284-146-0x0000000000400000-0x0000000000696000-memory.dmp

memory/4432-148-0x0000000000000000-mapping.dmp

memory/2436-149-0x0000000010490000-0x0000000010502000-memory.dmp

memory/4432-152-0x0000000010490000-0x0000000010502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 3b963bd15bb9ed1521498e1d2f0f5d17
SHA1 59efc19d28dcb518cc8db7447fed8c16c10b754e
SHA256 98e875c354d30677377ea66e55e7a0f128bb32a09556d07b5248374aff38e0a4
SHA512 400a4413cd72c15e57934976b762e06b512919bc4894990538aeff27f33ea27c92ab3543bd9c2b1617d02f76f05b24029cead0567bc3060bf495ca1952b3ab9a

C:\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

memory/4432-155-0x0000000010490000-0x0000000010502000-memory.dmp

memory/2436-159-0x00000000022A0000-0x0000000002312000-memory.dmp

memory/2012-161-0x0000000000000000-mapping.dmp

memory/2436-162-0x0000000010510000-0x0000000010582000-memory.dmp

memory/2012-165-0x0000000010510000-0x0000000010582000-memory.dmp

memory/2012-166-0x0000000000400000-0x0000000000696000-memory.dmp

memory/2012-167-0x0000000010510000-0x0000000010582000-memory.dmp

memory/3768-168-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

memory/2436-172-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3768-173-0x0000000000400000-0x0000000000696000-memory.dmp

memory/1188-174-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\svchosts\svchost.exe

MD5 a172747973cf9ff998db1c26007a2600
SHA1 745422b13de8df068ae7149c518353a3f6362067
SHA256 1d4a852a3dd079f3f36c23d8710ce0169af3114f6d774724582974015f69fddb
SHA512 f0f0193cb7131abc0da3b938ae8a3d0816a0225662e29299844ba848d86ca942fbeadd291c87d9133a9096b5ae93fbd91705692f660202c96615f0e48c21dc4d

memory/1188-180-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1188-181-0x00000000005B0000-0x00000000005B3000-memory.dmp

memory/2012-182-0x0000000010510000-0x0000000010582000-memory.dmp

memory/1188-183-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3768-184-0x0000000000400000-0x0000000000696000-memory.dmp