Malware Analysis Report

2025-08-06 03:48

Sample ID 221106-g3zh7sfha5
Target e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA256 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
Tags
upx cybergate vida nova tres persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca

Threat Level: Known bad

The file e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca was found to be: Known bad.

Malicious Activity Summary

upx cybergate vida nova tres persistence stealer trojan

CyberGate, Rebhip

Modifies Installed Components in the registry

Adds policy Run key to start application

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in System32 directory

AutoIT Executable

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 06:20

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 06:20

Reported

2022-11-06 07:02

Platform

win7-20220901-en

Max time kernel

150s

Max time network

66s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\syss\\winn32.exe" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\syss\\winn32.exe" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\syss\winn32.exe N/A
N/A N/A C:\Windows\SysWOW64\syss\winn32.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2}\DontAsk = "2" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\syss\\winn32.exe Restart" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\syss\\winn32.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2} C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -restart" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2}\IsInstalled = "1" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\syss\\winn32.exe" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\syss\\winn32.exe" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\f: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\syss\winn32.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened for modification C:\Windows\SysWOW64\syss\winn32.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
PID 2012 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
PID 2012 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
PID 2012 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
PID 2012 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
PID 2012 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe

"C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"

C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe

"C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe

"C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"

C:\Windows\SysWOW64\syss\winn32.exe

"C:\Windows\system32\syss\winn32.exe"

C:\Windows\SysWOW64\syss\winn32.exe

"C:\Windows\SysWOW64\syss\winn32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lesamedi.no-ip.info udp

Files

memory/2012-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

memory/2028-55-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2028-57-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2028-58-0x0000000000455C00-mapping.dmp

memory/2028-61-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2028-62-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2012-63-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/2012-64-0x0000000003A00000-0x0000000003ACB000-memory.dmp

memory/2028-65-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2028-67-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1348-70-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1684-73-0x0000000000000000-mapping.dmp

memory/1684-75-0x00000000743D1000-0x00000000743D3000-memory.dmp

memory/2028-76-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1684-81-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Windows\SysWOW64\syss\winn32.exe

MD5 2ec9e817685bf6c535a09df1896507ce
SHA1 175503b55e41200505e5dd436288042bd9d76943
SHA256 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA512 39cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 03f04535015c085446cd0828bcc401c9
SHA1 b2364366921e9a1d0f3e2ead3cd0f4e84374ae9b
SHA256 dc4224d120265dea2c0ec13272e2f6859a843521b9e1d4809578ac97cbf878a7
SHA512 7b982d50af8a3485b16fcb61d792c61b83cb46edb6748cfedaa0d6cf1dfa55044909441de4933b4a65a88b0655d908a9f2a43421d464801caa3c3e6af959672a

memory/1684-84-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2028-86-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1976-90-0x0000000000000000-mapping.dmp

memory/2028-92-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/2028-98-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1976-97-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/1976-99-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/1976-100-0x0000000024160000-0x00000000241C2000-memory.dmp

\Windows\SysWOW64\syss\winn32.exe

MD5 2ec9e817685bf6c535a09df1896507ce
SHA1 175503b55e41200505e5dd436288042bd9d76943
SHA256 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA512 39cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc

C:\Windows\SysWOW64\syss\winn32.exe

MD5 2ec9e817685bf6c535a09df1896507ce
SHA1 175503b55e41200505e5dd436288042bd9d76943
SHA256 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA512 39cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc

memory/1424-102-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\syss\winn32.exe

MD5 2ec9e817685bf6c535a09df1896507ce
SHA1 175503b55e41200505e5dd436288042bd9d76943
SHA256 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA512 39cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc

memory/2016-108-0x0000000000455C00-mapping.dmp

memory/1424-111-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/2016-113-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2016-114-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1976-115-0x0000000009B20000-0x0000000009BEB000-memory.dmp

memory/2016-116-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2016-117-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2012-118-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/1976-119-0x0000000024160000-0x00000000241C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 06:20

Reported

2022-11-06 07:04

Platform

win10v2004-20220812-en

Max time kernel

176s

Max time network

182s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\syss\\winn32.exe" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\syss\\winn32.exe" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\syss\winn32.exe N/A
N/A N/A C:\Windows\SysWOW64\syss\winn32.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2}\DontAsk = "2" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\syss\\winn32.exe Restart" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\syss\\winn32.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2} C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -restart" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2}\IsInstalled = "1" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\syss\\winn32.exe" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\syss\\winn32.exe" C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\f: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\syss\winn32.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
File opened for modification C:\Windows\SysWOW64\syss\winn32.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\syss\winn32.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
PID 1572 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
PID 1572 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
PID 1572 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
PID 1572 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE
PID 4476 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe

"C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"

C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe

"C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe

"C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"

C:\Windows\SysWOW64\syss\winn32.exe

"C:\Windows\system32\syss\winn32.exe"

C:\Windows\SysWOW64\syss\winn32.exe

"C:\Windows\SysWOW64\syss\winn32.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2732 -ip 2732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 576

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 20.189.173.1:443 tcp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp
US 8.8.8.8:53 lesamedi.no-ip.info udp

Files

memory/4476-135-0x0000000000000000-mapping.dmp

memory/4476-136-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4476-138-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1572-140-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/4476-139-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4476-141-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4476-143-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4648-147-0x0000000000000000-mapping.dmp

memory/4476-148-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4648-151-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 03f04535015c085446cd0828bcc401c9
SHA1 b2364366921e9a1d0f3e2ead3cd0f4e84374ae9b
SHA256 dc4224d120265dea2c0ec13272e2f6859a843521b9e1d4809578ac97cbf878a7
SHA512 7b982d50af8a3485b16fcb61d792c61b83cb46edb6748cfedaa0d6cf1dfa55044909441de4933b4a65a88b0655d908a9f2a43421d464801caa3c3e6af959672a

C:\Windows\SysWOW64\syss\winn32.exe

MD5 2ec9e817685bf6c535a09df1896507ce
SHA1 175503b55e41200505e5dd436288042bd9d76943
SHA256 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA512 39cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc

memory/4648-154-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4476-156-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1220-160-0x0000000000000000-mapping.dmp

memory/4476-161-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/1220-164-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/4476-165-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1220-166-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/1220-167-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/1488-168-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\syss\winn32.exe

MD5 2ec9e817685bf6c535a09df1896507ce
SHA1 175503b55e41200505e5dd436288042bd9d76943
SHA256 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA512 39cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc

memory/2732-170-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\syss\winn32.exe

MD5 2ec9e817685bf6c535a09df1896507ce
SHA1 175503b55e41200505e5dd436288042bd9d76943
SHA256 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA512 39cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc

memory/1488-174-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/2732-175-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2732-176-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2732-177-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1572-178-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/1220-179-0x0000000024160000-0x00000000241C2000-memory.dmp