Malware Analysis Report

2025-08-06 03:51

Sample ID 221106-e2lvlsehfk
Target f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196
SHA256 f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196
Tags
cybergate victima persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196

Threat Level: Known bad

The file f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196 was found to be: Known bad.

Malicious Activity Summary

cybergate victima persistence stealer trojan upx

CyberGate, Rebhip

UPX packed file

Modifies Installed Components in the registry

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 04:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 04:26

Reported

2022-11-06 04:39

Platform

win7-20220812-en

Max time kernel

181s

Max time network

78s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Win32\\winloader.exe" C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Win32\\winloader.exe" C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Win32\winloader.exe N/A
N/A N/A C:\Win32\winloader.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N} C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N}\StubPath = "C:\\Win32\\winloader.exe Restart" C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N}\StubPath = "C:\\Win32\\winloader.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tarjeta de video = "C:\\Win32\\winloader.exe" C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Placa mother = "C:\\Win32\\winloader.exe" C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 1560 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 1560 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 1560 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 1560 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 1560 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 1296 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

"C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe"

C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Win32\winloader.exe

"C:\Win32\winloader.exe"

C:\Win32\winloader.exe

C:\Win32\winloader.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 infeccioneszc.no-ip.org udp
US 8.8.8.8:53 kbchorizo.no-ip.org udp

Files

memory/1296-54-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/1296-57-0x00000000004B3F40-mapping.dmp

memory/1296-56-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/1296-59-0x00000000756B1000-0x00000000756B3000-memory.dmp

memory/1296-60-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/1296-61-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/1296-62-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/1296-64-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1404-67-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1104-70-0x0000000000000000-mapping.dmp

memory/1104-72-0x00000000750C1000-0x00000000750C3000-memory.dmp

memory/1296-73-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1104-78-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 0d636aa26187398d0858250cc1c4c4fa
SHA1 b2ccf76344d2d9ad769898e66fa45616466f6527
SHA256 b087ceee417c34a825f52c98bba9b3a5eaa828ed5f5074e3750f6b7e76ab106d
SHA512 237cc3d0514b75e79b894ccbd24cdfa170850203b9dfe8cb79fc194c797c5fc2db138380e65e44a5a026f849137ec612832b208e8c3ba4db63807d5daa6a6010

C:\Win32\winloader.exe

MD5 2d677ed795661959e60196d2892256b0
SHA1 684d7f89ffc1822a10c8824d8c8da7079eca292a
SHA256 f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196
SHA512 eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

memory/1104-81-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1040-83-0x0000000000000000-mapping.dmp

memory/1296-86-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1040-92-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1296-91-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/1040-93-0x00000000240F0000-0x0000000024152000-memory.dmp

\Win32\winloader.exe

MD5 2d677ed795661959e60196d2892256b0
SHA1 684d7f89ffc1822a10c8824d8c8da7079eca292a
SHA256 f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196
SHA512 eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

memory/1156-96-0x0000000000000000-mapping.dmp

\Win32\winloader.exe

MD5 2d677ed795661959e60196d2892256b0
SHA1 684d7f89ffc1822a10c8824d8c8da7079eca292a
SHA256 f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196
SHA512 eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

C:\Win32\winloader.exe

MD5 2d677ed795661959e60196d2892256b0
SHA1 684d7f89ffc1822a10c8824d8c8da7079eca292a
SHA256 f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196
SHA512 eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

C:\Win32\winloader.exe

MD5 2d677ed795661959e60196d2892256b0
SHA1 684d7f89ffc1822a10c8824d8c8da7079eca292a
SHA256 f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196
SHA512 eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

memory/1040-100-0x00000000240F0000-0x0000000024152000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 04:26

Reported

2022-11-06 04:38

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Win32\\winloader.exe" C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Win32\\winloader.exe" C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Win32\winloader.exe N/A
N/A N/A C:\Win32\winloader.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N} C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N}\StubPath = "C:\\Win32\\winloader.exe Restart" C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N}\StubPath = "C:\\Win32\\winloader.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Tarjeta de video = "C:\\Win32\\winloader.exe" C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Placa mother = "C:\\Win32\\winloader.exe" C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Win32\winloader.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4988 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 4988 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 4988 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 4988 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 4988 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

"C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe"

C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Win32\winloader.exe

"C:\Win32\winloader.exe"

C:\Win32\winloader.exe

C:\Win32\winloader.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 536

Network

Country Destination Domain Proto
US 52.109.13.64:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 infeccioneszc.no-ip.org udp
US 8.8.8.8:53 kbchorizo.no-ip.org udp
US 8.8.8.8:53 infeccioneszc.no-ip.org udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 kbchorizo.no-ip.org udp
US 8.8.8.8:53 infeccioneszc.no-ip.org udp
US 8.8.8.8:53 kbchorizo.no-ip.org udp
US 8.8.8.8:53 infeccioneszc.no-ip.org udp
US 8.8.8.8:53 kbchorizo.no-ip.org udp
US 8.8.8.8:53 infeccioneszc.no-ip.org udp
US 8.8.8.8:53 kbchorizo.no-ip.org udp
US 8.8.8.8:53 infeccioneszc.no-ip.org udp
US 8.8.8.8:53 kbchorizo.no-ip.org udp
US 8.8.8.8:53 infeccioneszc.no-ip.org udp
US 8.8.8.8:53 kbchorizo.no-ip.org udp

Files

memory/2920-132-0x0000000000000000-mapping.dmp

memory/2920-133-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/2920-135-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/2920-136-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/2920-137-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/2920-138-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/2920-140-0x0000000024010000-0x0000000024072000-memory.dmp

memory/5060-144-0x0000000000000000-mapping.dmp

memory/2920-145-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/5060-148-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/5060-149-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3188-151-0x0000000000000000-mapping.dmp

memory/2920-152-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/3188-155-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/2920-156-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/3188-157-0x00000000240F0000-0x0000000024152000-memory.dmp

C:\Win32\winloader.exe

MD5 2d677ed795661959e60196d2892256b0
SHA1 684d7f89ffc1822a10c8824d8c8da7079eca292a
SHA256 f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196
SHA512 eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 0d636aa26187398d0858250cc1c4c4fa
SHA1 b2ccf76344d2d9ad769898e66fa45616466f6527
SHA256 b087ceee417c34a825f52c98bba9b3a5eaa828ed5f5074e3750f6b7e76ab106d
SHA512 237cc3d0514b75e79b894ccbd24cdfa170850203b9dfe8cb79fc194c797c5fc2db138380e65e44a5a026f849137ec612832b208e8c3ba4db63807d5daa6a6010

memory/4404-160-0x0000000000000000-mapping.dmp

C:\Win32\winloader.exe

MD5 2d677ed795661959e60196d2892256b0
SHA1 684d7f89ffc1822a10c8824d8c8da7079eca292a
SHA256 f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196
SHA512 eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

memory/228-162-0x0000000000000000-mapping.dmp

C:\Win32\winloader.exe

MD5 2d677ed795661959e60196d2892256b0
SHA1 684d7f89ffc1822a10c8824d8c8da7079eca292a
SHA256 f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196
SHA512 eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

memory/228-166-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/228-167-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/228-168-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/5060-169-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3188-170-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/228-171-0x0000000000400000-0x00000000004DD000-memory.dmp