Malware Analysis Report

2025-08-05 12:38

Sample ID 221106-j2selsdfbn
Target 8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311
SHA256 8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311
Tags
cybergate choro persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311

Threat Level: Known bad

The file 8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311 was found to be: Known bad.

Malicious Activity Summary

cybergate choro persistence stealer trojan upx

CyberGate, Rebhip

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Adds policy Run key to start application

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 08:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 08:10

Reported

2022-11-06 09:24

Platform

win7-20220812-en

Max time kernel

43s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe

"C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe"

Network

N/A

Files

memory/1948-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

memory/1948-55-0x00000000003C0000-0x00000000003C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 08:10

Reported

2022-11-06 09:24

Platform

win10v2004-20220901-en

Max time kernel

151s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\svchts\\System.exe" C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\svchts\\System.exe" C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchts\System.exe N/A
N/A N/A C:\Windows\SysWOW64\svchts\System.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{551FGI7H-3V2U-F177-O7QH-C772M3L33882}\StubPath = "C:\\Windows\\system32\\svchts\\System.exe Restart" C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{551FGI7H-3V2U-F177-O7QH-C772M3L33882} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{551FGI7H-3V2U-F177-O7QH-C772M3L33882}\StubPath = "C:\\Windows\\system32\\svchts\\System.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{551FGI7H-3V2U-F177-O7QH-C772M3L33882} C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\svchts\\System.exe" C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\system32\\svchts\\System.exe" C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\svchts\System.exe C:\Windows\SysWOW64\svchts\System.exe N/A
File created C:\Windows\SysWOW64\svchts\System.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A
File opened for modification C:\Windows\SysWOW64\svchts\System.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchts\System.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
PID 2200 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
PID 2200 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
PID 2200 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
PID 2200 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
PID 2200 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
PID 2200 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
PID 2200 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
PID 2200 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
PID 2200 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
PID 2200 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
PID 2200 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
PID 2200 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe

"C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe"

C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe

C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe

"C:\Users\Admin\AppData\Local\Temp\8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe"

C:\Windows\SysWOW64\svchts\System.exe

"C:\Windows\system32\svchts\System.exe"

C:\Windows\SysWOW64\svchts\System.exe

C:\Windows\SysWOW64\svchts\System.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 568

Network

Country Destination Domain Proto
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 conquer1000.no-ip.org udp
JP 13.78.111.198:443 tcp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
NL 88.221.25.155:80 tcp
NL 88.221.25.155:80 tcp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.247.211.254:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp
US 8.8.8.8:53 conquer1000.no-ip.org udp

Files

memory/4636-132-0x0000000000000000-mapping.dmp

memory/4636-133-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2200-134-0x0000000000AC0000-0x0000000000AC4000-memory.dmp

memory/4636-135-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4636-136-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4636-137-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4636-139-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1292-143-0x0000000000000000-mapping.dmp

memory/4636-144-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1292-147-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 6a2e662afad100adc4d4a7c3547a3d28
SHA1 adae5d49df4eb849fe19b0da6faeb22e0c28c43e
SHA256 00142533392a15c4e6f1de1b21e8137f2f37fadbd5e5079a129f4454a66a4684
SHA512 4773ca5e99c735ab39b607d693e94b40c98d7f7fa456467e77c3349ad50109007fee71543326b74b024954d1b1e00be8aeac1e258bf938697ced8db5cfb60237

C:\Windows\SysWOW64\svchts\System.exe

MD5 30258d571aa875077eaa46d038d9f3f6
SHA1 179c38560faaf7087d6abdad5fb2d2ef1107e4fe
SHA256 8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311
SHA512 519a0402d31c64234f191f8f28f5fbbb4e9a05a8eaf46e5df33a897fe6f41b49f88be5c8811cd98f23bfb75246f16beb72b4abc125b5a776d2ccff876a2c98b8

memory/1292-150-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4636-152-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/2520-156-0x0000000000000000-mapping.dmp

memory/4636-157-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/2520-160-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/4636-161-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2520-162-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Windows\SysWOW64\svchts\System.exe

MD5 30258d571aa875077eaa46d038d9f3f6
SHA1 179c38560faaf7087d6abdad5fb2d2ef1107e4fe
SHA256 8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311
SHA512 519a0402d31c64234f191f8f28f5fbbb4e9a05a8eaf46e5df33a897fe6f41b49f88be5c8811cd98f23bfb75246f16beb72b4abc125b5a776d2ccff876a2c98b8

memory/976-163-0x0000000000000000-mapping.dmp

memory/4388-165-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\svchts\System.exe

MD5 30258d571aa875077eaa46d038d9f3f6
SHA1 179c38560faaf7087d6abdad5fb2d2ef1107e4fe
SHA256 8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311
SHA512 519a0402d31c64234f191f8f28f5fbbb4e9a05a8eaf46e5df33a897fe6f41b49f88be5c8811cd98f23bfb75246f16beb72b4abc125b5a776d2ccff876a2c98b8

memory/4388-169-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4388-170-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2520-171-0x0000000024160000-0x00000000241C2000-memory.dmp