Malware Analysis Report

2025-08-06 03:48

Sample ID 221106-hj53bagfb7
Target fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d
SHA256 fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d
Tags
cybergate new504 persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d

Threat Level: Known bad

The file fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d was found to be: Known bad.

Malicious Activity Summary

cybergate new504 persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

UPX packed file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 06:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 06:46

Reported

2022-11-06 07:34

Platform

win7-20220812-en

Max time kernel

44s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe

"C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe"

Network

N/A

Files

memory/1632-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

memory/1632-55-0x0000000000290000-0x0000000000294000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 06:46

Reported

2022-11-06 07:34

Platform

win10v2004-20220812-en

Max time kernel

187s

Max time network

184s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Flash = "C:\\Program Files (x86)\\Mozilla\\Flash_Update.exe" C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Flash = "C:\\Program Files (x86)\\Mozilla\\Flash_Update.exe" C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Mozilla\Flash_Update.exe N/A
N/A N/A C:\Program Files (x86)\Mozilla\Flash_Update.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C287P68-7BA7-H58U-I451-7G485M55P0Q8} C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C287P68-7BA7-H58U-I451-7G485M55P0Q8}\StubPath = "C:\\Program Files (x86)\\Mozilla\\Flash_Update.exe Restart" C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C287P68-7BA7-H58U-I451-7G485M55P0Q8} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C287P68-7BA7-H58U-I451-7G485M55P0Q8}\StubPath = "C:\\Program Files (x86)\\Mozilla\\Flash_Update.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Java_Update = "C:\\Program Files (x86)\\Mozilla\\Flash_Update.exe" C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Flash_Update = "C:\\Program Files (x86)\\Mozilla\\Flash_Update.exe" C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Mozilla\ C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla\Flash_Update.exe C:\Program Files (x86)\Mozilla\Flash_Update.exe N/A
File created C:\Program Files (x86)\Mozilla\Flash_Update.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla\Flash_Update.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla\Flash_Update.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Mozilla\Flash_Update.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe
PID 620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe
PID 620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe
PID 620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe
PID 620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe
PID 620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe
PID 620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe
PID 620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe
PID 620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe
PID 620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe
PID 620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe
PID 620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe
PID 620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE
PID 4896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe

"C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe"

C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe

C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe

"C:\Users\Admin\AppData\Local\Temp\fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d.exe"

C:\Program Files (x86)\Mozilla\Flash_Update.exe

"C:\Program Files (x86)\Mozilla\Flash_Update.exe"

C:\Program Files (x86)\Mozilla\Flash_Update.exe

"C:\Program Files (x86)\Mozilla\Flash_Update.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2332 -ip 2332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 544

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
NL 95.101.78.106:80 tcp
US 52.109.13.63:443 tcp
US 20.44.10.122:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp
US 8.8.8.8:53 Firefox.ignorelist.com udp

Files

memory/4896-132-0x0000000000000000-mapping.dmp

memory/4896-133-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4896-135-0x0000000000400000-0x0000000000450000-memory.dmp

memory/620-134-0x0000000000A80000-0x0000000000A84000-memory.dmp

memory/4896-136-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4896-137-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4896-139-0x0000000024010000-0x0000000024072000-memory.dmp

memory/2232-143-0x0000000000000000-mapping.dmp

memory/4896-144-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2232-147-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 7fc5be2ef2f3d9bdd17cbb621da67d10
SHA1 216b65d647aa52ec09e34bd503bee237ce73d03f
SHA256 e733457185a55f952101c0b40de8bf32d9a065f43e667ed81e278e0d0a2602b3
SHA512 3dab3911df3ac54bd2552302b49d0d395c15be590563be31d8edcbf3092deedfb81992941d1329074530ef3707a213923d54af972b6d1bdcbc14c156238a8b68

C:\Program Files (x86)\Mozilla\Flash_Update.exe

MD5 211f5b91e02cce9155adcbb0ad9233f0
SHA1 2a04655504ec02036e750aa8c3aff776df9b7b14
SHA256 fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d
SHA512 ab81533d0eac4ae885871f6d4991bdc97ce6ae2fb35cb26bde5e8a987338f32b5aee033a5fd437d9cc14fb4db3a0b9ebc4e6b31fd93497e33b2afadb126894f3

memory/2232-150-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4896-152-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/2500-156-0x0000000000000000-mapping.dmp

memory/4896-157-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/2500-160-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/4896-161-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2500-162-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/2400-163-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Mozilla\Flash_Update.exe

MD5 211f5b91e02cce9155adcbb0ad9233f0
SHA1 2a04655504ec02036e750aa8c3aff776df9b7b14
SHA256 fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d
SHA512 ab81533d0eac4ae885871f6d4991bdc97ce6ae2fb35cb26bde5e8a987338f32b5aee033a5fd437d9cc14fb4db3a0b9ebc4e6b31fd93497e33b2afadb126894f3

memory/2332-165-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Mozilla\Flash_Update.exe

MD5 211f5b91e02cce9155adcbb0ad9233f0
SHA1 2a04655504ec02036e750aa8c3aff776df9b7b14
SHA256 fb7847373477a5148f190949c130977367bfee8c854811ee96381a6cbc54ac4d
SHA512 ab81533d0eac4ae885871f6d4991bdc97ce6ae2fb35cb26bde5e8a987338f32b5aee033a5fd437d9cc14fb4db3a0b9ebc4e6b31fd93497e33b2afadb126894f3

memory/2332-169-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2332-170-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2500-171-0x0000000024160000-0x00000000241C2000-memory.dmp