Malware Analysis Report

2025-08-06 03:47

Sample ID 221106-hl5vbsggb5
Target f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb
SHA256 f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb
Tags
cybergate öííé persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb

Threat Level: Known bad

The file f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb was found to be: Known bad.

Malicious Activity Summary

cybergate öííé persistence stealer trojan upx

CyberGate, Rebhip

Modifies Installed Components in the registry

UPX packed file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 06:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 06:50

Reported

2022-11-06 07:42

Platform

win7-20220812-en

Max time kernel

151s

Max time network

86s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\microsoft\Win_Xp.exe N/A
N/A N/A C:\windows\SysWOW64\microsoft\Win_Xp.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML} C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}\StubPath = "c:\\windows\\system32\\microsoft\\Win_Xp.exe Restart" C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}\StubPath = "c:\\windows\\system32\\microsoft\\Win_Xp.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\microsoft\Win_Xp.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\Win_Xp.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\Win_Xp.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\ C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 2020 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 2020 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 2020 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 2020 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 2020 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 2020 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 2020 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 2020 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 2020 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 2020 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 2020 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe

"C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe"

C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe

C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe

"C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe"

C:\windows\SysWOW64\microsoft\Win_Xp.exe

"C:\windows\system32\microsoft\Win_Xp.exe"

C:\windows\SysWOW64\microsoft\Win_Xp.exe

C:\windows\SysWOW64\microsoft\Win_Xp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 adgjsgy.servebeer.com udp

Files

memory/1516-54-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1516-55-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1516-57-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1516-59-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1516-62-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1516-65-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1516-67-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1516-70-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1516-72-0x000000000040BBF4-mapping.dmp

memory/1516-73-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1516-74-0x0000000075451000-0x0000000075453000-memory.dmp

memory/1516-75-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1516-77-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1412-80-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1672-83-0x0000000000000000-mapping.dmp

memory/1672-85-0x0000000074951000-0x0000000074953000-memory.dmp

memory/1516-86-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1672-91-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 d8a3ce65311f6bd10247ad6217d3184f
SHA1 62c71a1cacdfb93b27a542bac1273549c3af00a3
SHA256 82fbc5c702026dd5cc24f5aaf360af45c91a90a39fed26dddc02effee26e267b
SHA512 220d492305ba288e54cfa4b2a6d78295426c6340a7fa45012a43cc71002c6021167e650c2b6060eeaed0acf929ec3ba783088abfd0934481139175ba4228f843

\??\c:\windows\SysWOW64\microsoft\Win_Xp.exe

MD5 30464eecf372816062dd039ed14bacd0
SHA1 a8ffc5816ff00d05ea2b0f76b4482fd240e732e0
SHA256 f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb
SHA512 9d53c59582f94f360ba66999655f81dd9f4db31a879769f10cc8cab58f8792e06ecb2807d85819f128fc98f3330e86fecc7240fdbf4d93d4f587ac75526ac7ec

memory/1672-94-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1516-96-0x0000000000320000-0x0000000000382000-memory.dmp

memory/1624-100-0x0000000000000000-mapping.dmp

memory/1516-102-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1624-107-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1624-108-0x00000000240F0000-0x0000000024152000-memory.dmp

\Windows\SysWOW64\microsoft\Win_Xp.exe

MD5 30464eecf372816062dd039ed14bacd0
SHA1 a8ffc5816ff00d05ea2b0f76b4482fd240e732e0
SHA256 f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb
SHA512 9d53c59582f94f360ba66999655f81dd9f4db31a879769f10cc8cab58f8792e06ecb2807d85819f128fc98f3330e86fecc7240fdbf4d93d4f587ac75526ac7ec

\Windows\SysWOW64\microsoft\Win_Xp.exe

MD5 30464eecf372816062dd039ed14bacd0
SHA1 a8ffc5816ff00d05ea2b0f76b4482fd240e732e0
SHA256 f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb
SHA512 9d53c59582f94f360ba66999655f81dd9f4db31a879769f10cc8cab58f8792e06ecb2807d85819f128fc98f3330e86fecc7240fdbf4d93d4f587ac75526ac7ec

memory/1568-111-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\microsoft\Win_Xp.exe

MD5 30464eecf372816062dd039ed14bacd0
SHA1 a8ffc5816ff00d05ea2b0f76b4482fd240e732e0
SHA256 f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb
SHA512 9d53c59582f94f360ba66999655f81dd9f4db31a879769f10cc8cab58f8792e06ecb2807d85819f128fc98f3330e86fecc7240fdbf4d93d4f587ac75526ac7ec

memory/1624-113-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1200-132-0x000000000040BBF4-mapping.dmp

C:\Windows\SysWOW64\microsoft\Win_Xp.exe

MD5 30464eecf372816062dd039ed14bacd0
SHA1 a8ffc5816ff00d05ea2b0f76b4482fd240e732e0
SHA256 f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb
SHA512 9d53c59582f94f360ba66999655f81dd9f4db31a879769f10cc8cab58f8792e06ecb2807d85819f128fc98f3330e86fecc7240fdbf4d93d4f587ac75526ac7ec

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 06:50

Reported

2022-11-06 07:40

Platform

win10v2004-20220812-en

Max time kernel

153s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\microsoft\Win_Xp.exe N/A
N/A N/A C:\windows\SysWOW64\microsoft\Win_Xp.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}\StubPath = "c:\\windows\\system32\\microsoft\\Win_Xp.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML} C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}\StubPath = "c:\\windows\\system32\\microsoft\\Win_Xp.exe Restart" C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML} C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\microsoft\Win_Xp.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\Win_Xp.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\Win_Xp.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\ C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 3628 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 3628 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 3628 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 3628 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 3628 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 3628 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 3628 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 3628 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 3628 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 3628 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 3628 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 3628 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE
PID 4980 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe

"C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe"

C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe

C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe

"C:\Users\Admin\AppData\Local\Temp\f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb.exe"

C:\windows\SysWOW64\microsoft\Win_Xp.exe

"C:\windows\system32\microsoft\Win_Xp.exe"

C:\windows\SysWOW64\microsoft\Win_Xp.exe

C:\windows\SysWOW64\microsoft\Win_Xp.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 20.189.173.13:443 tcp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 216.218.185.162:80 tcp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp
US 8.8.8.8:53 adgjsgy.servebeer.com udp

Files

memory/4980-132-0x0000000000000000-mapping.dmp

memory/4980-133-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4980-134-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4980-136-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4980-138-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4980-139-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4980-140-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4980-142-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4980-143-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4980-145-0x0000000024010000-0x0000000024072000-memory.dmp

memory/3060-149-0x0000000000000000-mapping.dmp

memory/4980-150-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3060-153-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 d8a3ce65311f6bd10247ad6217d3184f
SHA1 62c71a1cacdfb93b27a542bac1273549c3af00a3
SHA256 82fbc5c702026dd5cc24f5aaf360af45c91a90a39fed26dddc02effee26e267b
SHA512 220d492305ba288e54cfa4b2a6d78295426c6340a7fa45012a43cc71002c6021167e650c2b6060eeaed0acf929ec3ba783088abfd0934481139175ba4228f843

\??\c:\windows\SysWOW64\microsoft\Win_Xp.exe

MD5 30464eecf372816062dd039ed14bacd0
SHA1 a8ffc5816ff00d05ea2b0f76b4482fd240e732e0
SHA256 f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb
SHA512 9d53c59582f94f360ba66999655f81dd9f4db31a879769f10cc8cab58f8792e06ecb2807d85819f128fc98f3330e86fecc7240fdbf4d93d4f587ac75526ac7ec

memory/3060-156-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4980-158-0x00000000005E0000-0x0000000000642000-memory.dmp

memory/2716-162-0x0000000000000000-mapping.dmp

memory/4980-163-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/2716-166-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/2716-167-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/3640-168-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\microsoft\Win_Xp.exe

MD5 30464eecf372816062dd039ed14bacd0
SHA1 a8ffc5816ff00d05ea2b0f76b4482fd240e732e0
SHA256 f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb
SHA512 9d53c59582f94f360ba66999655f81dd9f4db31a879769f10cc8cab58f8792e06ecb2807d85819f128fc98f3330e86fecc7240fdbf4d93d4f587ac75526ac7ec

memory/2716-170-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/424-171-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\microsoft\Win_Xp.exe

MD5 30464eecf372816062dd039ed14bacd0
SHA1 a8ffc5816ff00d05ea2b0f76b4482fd240e732e0
SHA256 f826a7f302072952f65dff9876dd6aa014fb246fab01f93fe7122d6157dc6ceb
SHA512 9d53c59582f94f360ba66999655f81dd9f4db31a879769f10cc8cab58f8792e06ecb2807d85819f128fc98f3330e86fecc7240fdbf4d93d4f587ac75526ac7ec

memory/424-183-0x0000000000400000-0x000000000044E000-memory.dmp