Malware Analysis Report

2025-08-05 12:35

Sample ID 221106-j6ez3sdghp
Target 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba
SHA256 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba
Tags
persistence cybergate client stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba

Threat Level: Known bad

The file 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba was found to be: Known bad.

Malicious Activity Summary

persistence cybergate client stealer trojan upx

CyberGate, Rebhip

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 08:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 08:16

Reported

2022-11-06 09:32

Platform

win7-20220812-en

Max time kernel

42s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1140 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 1140 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 1140 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 1140 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 1140 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 1136 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1136 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1136 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1136 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1768 wrote to memory of 976 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1768 wrote to memory of 976 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1768 wrote to memory of 976 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1768 wrote to memory of 976 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe

"C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe

C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

Network

N/A

Files

memory/1140-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

memory/1136-55-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe

MD5 31b32a4b9868e2872e08cbc5edc6f1f0
SHA1 8b879e7d75a05b957a49740a302eec40d63630e3
SHA256 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba
SHA512 f680e855961e791287472d78a6772e4725f1a2421182d0fd75ef546bff9b8082de446866515df7ca227da07e15fb5313070efea3a7d1a6173198b03905e01855

memory/1828-57-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1828-58-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1768-60-0x0000000000000000-mapping.dmp

memory/976-61-0x0000000000000000-mapping.dmp

memory/1140-62-0x00000000001C0000-0x00000000001C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 08:16

Reported

2022-11-06 09:32

Platform

win10v2004-20220901-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 2404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 2404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 2404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 2404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 2404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 2404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 2404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 2404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 2404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 2404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 2404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 2404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 1104 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1104 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1104 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2156 wrote to memory of 3796 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2156 wrote to memory of 3796 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2156 wrote to memory of 3796 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
PID 4744 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe

"C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe

C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe

"C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 20.42.73.24:443 tcp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp
US 8.8.8.8:53 ph4nt0mzz.zapto.org udp

Files

memory/1104-132-0x0000000000000000-mapping.dmp

memory/4744-133-0x0000000000000000-mapping.dmp

memory/4744-136-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe

MD5 31b32a4b9868e2872e08cbc5edc6f1f0
SHA1 8b879e7d75a05b957a49740a302eec40d63630e3
SHA256 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba
SHA512 f680e855961e791287472d78a6772e4725f1a2421182d0fd75ef546bff9b8082de446866515df7ca227da07e15fb5313070efea3a7d1a6173198b03905e01855

memory/4744-137-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2404-138-0x0000000000520000-0x0000000000524000-memory.dmp

memory/4744-134-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2156-139-0x0000000000000000-mapping.dmp

memory/3796-140-0x0000000000000000-mapping.dmp

memory/4744-141-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2084-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe

MD5 31b32a4b9868e2872e08cbc5edc6f1f0
SHA1 8b879e7d75a05b957a49740a302eec40d63630e3
SHA256 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba
SHA512 f680e855961e791287472d78a6772e4725f1a2421182d0fd75ef546bff9b8082de446866515df7ca227da07e15fb5313070efea3a7d1a6173198b03905e01855

memory/4744-145-0x0000000010410000-0x0000000010480000-memory.dmp

memory/2084-148-0x0000000010410000-0x0000000010480000-memory.dmp

memory/2084-149-0x0000000010410000-0x0000000010480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 743c17705fb79d86efd6ded5a57e7dbb
SHA1 ed2255f22083b33dad301a05bc3f36d756acc18d
SHA256 0108efd7ecd7685fc99fa32b8abbb02bcd89815df6fb973187489cb67d2590f1
SHA512 d9d92078ffb30559fbc3142bfee9b5944d2181441e651b2c0a7d17187d46fbe4998f86cab0874ffaeb8903fde94de9deb92d16111437f8d1ab7ce832951445af

memory/4744-151-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2084-152-0x0000000010410000-0x0000000010480000-memory.dmp