Malware Analysis Report

2025-08-05 12:36

Sample ID 221106-kfc88sechn
Target 70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6
SHA256 70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6
Tags
cybergate kaki persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6

Threat Level: Known bad

The file 70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6 was found to be: Known bad.

Malicious Activity Summary

cybergate kaki persistence stealer trojan upx

CyberGate, Rebhip

Executes dropped EXE

Adds policy Run key to start application

Modifies Installed Components in the registry

UPX packed file

Loads dropped DLL

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 08:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 08:32

Reported

2022-11-06 09:53

Platform

win7-20220812-en

Max time kernel

152s

Max time network

88s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\smss.exe" C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\smss.exe" C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install\smss.exe N/A
N/A N/A C:\Windows\install\smss.exe N/A
N/A N/A C:\Windows\install\smss.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{SWID8710-7SC0-G3T4-UVWB-KHO6VMY87GP6} C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{SWID8710-7SC0-G3T4-UVWB-KHO6VMY87GP6}\StubPath = "C:\\Windows\\install\\smss.exe Restart" C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{SWID8710-7SC0-G3T4-UVWB-KHO6VMY87GP6} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{SWID8710-7SC0-G3T4-UVWB-KHO6VMY87GP6}\StubPath = "C:\\Windows\\install\\smss.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\SysWOW64\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\install\ C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\install\smss.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
File opened for modification C:\Windows\install\smss.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
File opened for modification C:\Windows\install\smss.exe C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 1028 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 1028 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 1028 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 1028 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 1028 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 1028 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 1028 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 1028 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 888 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 888 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 888 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 888 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 888 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 888 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 888 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 888 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 888 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 888 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 888 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 888 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 2020 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe

"C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe

C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe

C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe

C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\install\smss.exe

"C:\Windows\install\smss.exe"

C:\Windows\install\smss.exe

C:\Windows\install\smss.exe

C:\Windows\install\smss.exe

C:\Windows\install\smss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 filas0.zapto.org udp

Files

memory/888-54-0x0000000000400000-0x000000000046E000-memory.dmp

memory/888-55-0x0000000000400000-0x000000000046E000-memory.dmp

memory/888-57-0x0000000000400000-0x000000000046E000-memory.dmp

memory/888-59-0x0000000000400000-0x000000000046E000-memory.dmp

memory/888-61-0x0000000000400000-0x000000000046E000-memory.dmp

memory/888-63-0x0000000000468200-mapping.dmp

memory/888-65-0x0000000000400000-0x000000000046E000-memory.dmp

memory/888-66-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2020-68-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2020-70-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2020-75-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2020-80-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2020-78-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2020-83-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2020-72-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2020-67-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2020-85-0x000000000040BBF4-mapping.dmp

memory/888-87-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2020-86-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2020-88-0x0000000075021000-0x0000000075023000-memory.dmp

memory/2020-89-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2020-91-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1244-94-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1976-97-0x0000000000000000-mapping.dmp

memory/1976-99-0x0000000074B81000-0x0000000074B83000-memory.dmp

memory/2020-100-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1976-105-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 86f11b1da08727710f5a5e6559bf790d
SHA1 71d0f9193e9c2463ae3a8fc5ae3c11bb6897c858
SHA256 d16421e9907c580b555a93a357e00b67f18a9a2fea5a44a4fdd04c263e5bd353
SHA512 447dc92b6d8e057d29cd504133291ffd1a6c9ba4e52aba31a688188b4e63a92937ec61464136a4334297a465f335a05383cd953bfc7ce54170af043c61cc7aca

C:\Windows\install\smss.exe

MD5 355c77e57de2ad165d93e4199fe9b48e
SHA1 38f602a53cc0803134bf7a85ea9206958168cee3
SHA256 70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6
SHA512 e9d4b4641dab8bf6e2fb2bb94f9ef89ec206bf0068e85f1c8378be0ec9009e30ee08411bcf0e7eddc1bf52296ecb5a7911d762652091e66bc1f024a1add60ee9

memory/1976-108-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1144-110-0x0000000000000000-mapping.dmp

memory/2020-113-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1144-118-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1144-119-0x00000000240F0000-0x0000000024152000-memory.dmp

\Windows\install\smss.exe

MD5 355c77e57de2ad165d93e4199fe9b48e
SHA1 38f602a53cc0803134bf7a85ea9206958168cee3
SHA256 70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6
SHA512 e9d4b4641dab8bf6e2fb2bb94f9ef89ec206bf0068e85f1c8378be0ec9009e30ee08411bcf0e7eddc1bf52296ecb5a7911d762652091e66bc1f024a1add60ee9

memory/1076-122-0x0000000000000000-mapping.dmp

\Windows\install\smss.exe

MD5 355c77e57de2ad165d93e4199fe9b48e
SHA1 38f602a53cc0803134bf7a85ea9206958168cee3
SHA256 70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6
SHA512 e9d4b4641dab8bf6e2fb2bb94f9ef89ec206bf0068e85f1c8378be0ec9009e30ee08411bcf0e7eddc1bf52296ecb5a7911d762652091e66bc1f024a1add60ee9

C:\Windows\install\smss.exe

MD5 355c77e57de2ad165d93e4199fe9b48e
SHA1 38f602a53cc0803134bf7a85ea9206958168cee3
SHA256 70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6
SHA512 e9d4b4641dab8bf6e2fb2bb94f9ef89ec206bf0068e85f1c8378be0ec9009e30ee08411bcf0e7eddc1bf52296ecb5a7911d762652091e66bc1f024a1add60ee9

memory/2024-133-0x0000000000468200-mapping.dmp

C:\Windows\install\smss.exe

MD5 355c77e57de2ad165d93e4199fe9b48e
SHA1 38f602a53cc0803134bf7a85ea9206958168cee3
SHA256 70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6
SHA512 e9d4b4641dab8bf6e2fb2bb94f9ef89ec206bf0068e85f1c8378be0ec9009e30ee08411bcf0e7eddc1bf52296ecb5a7911d762652091e66bc1f024a1add60ee9

memory/2024-137-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2024-138-0x0000000000400000-0x000000000046E000-memory.dmp

memory/1868-157-0x000000000040BBF4-mapping.dmp

C:\Windows\install\smss.exe

MD5 355c77e57de2ad165d93e4199fe9b48e
SHA1 38f602a53cc0803134bf7a85ea9206958168cee3
SHA256 70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6
SHA512 e9d4b4641dab8bf6e2fb2bb94f9ef89ec206bf0068e85f1c8378be0ec9009e30ee08411bcf0e7eddc1bf52296ecb5a7911d762652091e66bc1f024a1add60ee9

memory/2024-160-0x0000000000400000-0x000000000046E000-memory.dmp

memory/1144-163-0x00000000240F0000-0x0000000024152000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 08:32

Reported

2022-11-06 09:53

Platform

win10v2004-20220812-en

Max time kernel

157s

Max time network

172s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\smss.exe" C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\smss.exe" C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install\smss.exe N/A
N/A N/A C:\Windows\install\smss.exe N/A
N/A N/A C:\Windows\install\smss.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{SWID8710-7SC0-G3T4-UVWB-KHO6VMY87GP6} C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SWID8710-7SC0-G3T4-UVWB-KHO6VMY87GP6}\StubPath = "C:\\Windows\\install\\smss.exe Restart" C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{SWID8710-7SC0-G3T4-UVWB-KHO6VMY87GP6} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SWID8710-7SC0-G3T4-UVWB-KHO6VMY87GP6}\StubPath = "C:\\Windows\\install\\smss.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\install\smss.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
File opened for modification C:\Windows\install\smss.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A
File opened for modification C:\Windows\install\smss.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\install\ C:\Windows\SysWOW64\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 3364 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 3364 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 3364 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 3364 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 3364 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 3364 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 3364 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4884 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4884 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4884 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4884 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4884 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4884 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4884 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4884 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4884 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4884 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4884 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4884 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4884 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe

"C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe"

C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe

C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe

C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe

C:\Users\Admin\AppData\Local\Temp\70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\install\smss.exe

"C:\Windows\install\smss.exe"

C:\Windows\install\smss.exe

C:\Windows\install\smss.exe

C:\Windows\install\smss.exe

C:\Windows\install\smss.exe

Network

Country Destination Domain Proto
US 20.189.173.13:443 tcp
US 8.8.8.8:53 filas0.zapto.org udp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
NL 95.101.78.82:80 tcp
NL 95.101.78.82:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp
US 8.8.8.8:53 filas0.zapto.org udp

Files

memory/4884-132-0x0000000000000000-mapping.dmp

memory/4884-133-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4884-134-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4884-135-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4884-138-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4884-139-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4808-140-0x0000000000000000-mapping.dmp

memory/4808-141-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4808-142-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4808-144-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4808-146-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4808-147-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4808-148-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4808-151-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4884-150-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4808-152-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4808-154-0x0000000024010000-0x0000000024072000-memory.dmp

memory/3956-158-0x0000000000000000-mapping.dmp

memory/4808-159-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3956-162-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3956-163-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 86f11b1da08727710f5a5e6559bf790d
SHA1 71d0f9193e9c2463ae3a8fc5ae3c11bb6897c858
SHA256 d16421e9907c580b555a93a357e00b67f18a9a2fea5a44a4fdd04c263e5bd353
SHA512 447dc92b6d8e057d29cd504133291ffd1a6c9ba4e52aba31a688188b4e63a92937ec61464136a4334297a465f335a05383cd953bfc7ce54170af043c61cc7aca

C:\Windows\install\smss.exe

MD5 355c77e57de2ad165d93e4199fe9b48e
SHA1 38f602a53cc0803134bf7a85ea9206958168cee3
SHA256 70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6
SHA512 e9d4b4641dab8bf6e2fb2bb94f9ef89ec206bf0068e85f1c8378be0ec9009e30ee08411bcf0e7eddc1bf52296ecb5a7911d762652091e66bc1f024a1add60ee9

memory/2156-167-0x0000000000000000-mapping.dmp

memory/4808-168-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/2156-171-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/2156-172-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/4384-173-0x0000000000000000-mapping.dmp

C:\Windows\install\smss.exe

MD5 355c77e57de2ad165d93e4199fe9b48e
SHA1 38f602a53cc0803134bf7a85ea9206958168cee3
SHA256 70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6
SHA512 e9d4b4641dab8bf6e2fb2bb94f9ef89ec206bf0068e85f1c8378be0ec9009e30ee08411bcf0e7eddc1bf52296ecb5a7911d762652091e66bc1f024a1add60ee9

memory/2320-175-0x0000000000000000-mapping.dmp

C:\Windows\install\smss.exe

MD5 355c77e57de2ad165d93e4199fe9b48e
SHA1 38f602a53cc0803134bf7a85ea9206958168cee3
SHA256 70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6
SHA512 e9d4b4641dab8bf6e2fb2bb94f9ef89ec206bf0068e85f1c8378be0ec9009e30ee08411bcf0e7eddc1bf52296ecb5a7911d762652091e66bc1f024a1add60ee9

memory/2320-183-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2320-184-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4380-185-0x0000000000000000-mapping.dmp

C:\Windows\install\smss.exe

MD5 355c77e57de2ad165d93e4199fe9b48e
SHA1 38f602a53cc0803134bf7a85ea9206958168cee3
SHA256 70fb59af7a390e56dc2c0017e49086cf1444c2fb14239c339dbaaf9468c773a6
SHA512 e9d4b4641dab8bf6e2fb2bb94f9ef89ec206bf0068e85f1c8378be0ec9009e30ee08411bcf0e7eddc1bf52296ecb5a7911d762652091e66bc1f024a1add60ee9

memory/2320-197-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4380-198-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3956-199-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2156-200-0x00000000240F0000-0x0000000024152000-memory.dmp