Malware Analysis Report

2025-08-05 12:35

Sample ID 221106-kw9blsfbck
Target 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78
SHA256 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78
Tags
cybergate åð åæ çáãþóæã persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78

Threat Level: Known bad

The file 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78 was found to be: Known bad.

Malicious Activity Summary

cybergate åð åæ çáãþóæã persistence stealer trojan upx

CyberGate, Rebhip

Molebox Virtualization software

Adds policy Run key to start application

Modifies Installed Components in the registry

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 08:58

Signatures

Molebox Virtualization software

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 08:58

Reported

2022-11-06 10:31

Platform

win7-20220901-en

Max time kernel

151s

Max time network

67s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Molebox Virtualization software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\foldar\\windows.exe" C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\foldar\\windows.exe" C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\foldar\windows.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{23P1S1BR-F560-376J-LV8X-PNDLP3T3X126} C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23P1S1BR-F560-376J-LV8X-PNDLP3T3X126}\StubPath = "C:\\Windows\\system32\\foldar\\windows.exe Restart" C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{23P1S1BR-F560-376J-LV8X-PNDLP3T3X126} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23P1S1BR-F560-376J-LV8X-PNDLP3T3X126}\StubPath = "C:\\Windows\\system32\\foldar\\windows.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\foldar\\windows.exe" C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\foldar\\windows.exe" C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\foldar\windows.exe C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
File opened for modification C:\Windows\SysWOW64\foldar\ C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
File created C:\Windows\SysWOW64\foldar\windows.exe C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
File opened for modification C:\Windows\SysWOW64\foldar\windows.exe C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 1816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe

"C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe

"C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe"

C:\Windows\SysWOW64\foldar\windows.exe

"C:\Windows\system32\foldar\windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mohammad2010.no-ip.biz udp

Files

memory/1816-54-0x0000000000400000-0x0000000000497000-memory.dmp

memory/1816-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

memory/1816-56-0x0000000000340000-0x0000000000393000-memory.dmp

memory/1816-57-0x0000000001F51000-0x0000000001F55000-memory.dmp

memory/1816-60-0x0000000001F60000-0x0000000002060000-memory.dmp

memory/1816-59-0x0000000001EE1000-0x0000000001EE5000-memory.dmp

memory/1816-58-0x00000000021D0000-0x00000000022D0000-memory.dmp

memory/1816-62-0x0000000000561000-0x0000000000565000-memory.dmp

memory/1816-61-0x0000000000400000-0x0000000000497000-memory.dmp

memory/1816-63-0x00000000022D0000-0x00000000023D0000-memory.dmp

memory/1816-65-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1400-68-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1972-71-0x0000000000000000-mapping.dmp

memory/1972-73-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

memory/1816-74-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1972-79-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Windows\SysWOW64\foldar\windows.exe

MD5 09d2422a5358c2e3dcc9f47d87c19a4c
SHA1 b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40
SHA256 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78
SHA512 ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 4f632f71edbb00ea9c46f8bf4846a3f3
SHA1 a9f3199344b4583567aea525ce732c8c483b98e6
SHA256 dee6864f9e0ba0c3c43e3212e1aa1861000d9a9cb567e06a1989d33f94118bb6
SHA512 5c45bd3f493411d81f0b65ca438d88662dc6c073c4c1c3f8de3c0efd4607e57304585e46182303939508624a231bda51c12082ed44c9bfde9e7e575988947ab2

memory/1972-82-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1532-84-0x0000000000000000-mapping.dmp

memory/1816-86-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1816-92-0x0000000000340000-0x0000000000393000-memory.dmp

memory/1532-91-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1816-93-0x0000000000400000-0x0000000000497000-memory.dmp

memory/1532-94-0x00000000240F0000-0x0000000024152000-memory.dmp

\Windows\SysWOW64\foldar\windows.exe

MD5 09d2422a5358c2e3dcc9f47d87c19a4c
SHA1 b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40
SHA256 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78
SHA512 ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355

memory/1836-97-0x0000000000000000-mapping.dmp

\Windows\SysWOW64\foldar\windows.exe

MD5 09d2422a5358c2e3dcc9f47d87c19a4c
SHA1 b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40
SHA256 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78
SHA512 ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355

C:\Windows\SysWOW64\foldar\windows.exe

MD5 09d2422a5358c2e3dcc9f47d87c19a4c
SHA1 b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40
SHA256 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78
SHA512 ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355

memory/1836-99-0x0000000000400000-0x0000000000497000-memory.dmp

memory/1836-101-0x0000000000270000-0x00000000002C3000-memory.dmp

memory/1836-102-0x0000000001FA0000-0x00000000020A0000-memory.dmp

memory/1836-103-0x0000000000400000-0x0000000000497000-memory.dmp

memory/1836-104-0x0000000001F91000-0x0000000001F95000-memory.dmp

memory/1836-105-0x0000000000541000-0x0000000000545000-memory.dmp

memory/1836-106-0x00000000021A0000-0x00000000022A0000-memory.dmp

memory/1836-107-0x00000000022A0000-0x00000000023A0000-memory.dmp

memory/1836-108-0x0000000000270000-0x00000000002C3000-memory.dmp

memory/1836-109-0x0000000000400000-0x0000000000497000-memory.dmp

memory/1532-110-0x00000000240F0000-0x0000000024152000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 08:58

Reported

2022-11-06 10:32

Platform

win10v2004-20220812-en

Max time kernel

180s

Max time network

184s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Molebox Virtualization software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\foldar\\windows.exe" C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\foldar\\windows.exe" C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\foldar\windows.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{23P1S1BR-F560-376J-LV8X-PNDLP3T3X126} C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23P1S1BR-F560-376J-LV8X-PNDLP3T3X126}\StubPath = "C:\\Windows\\system32\\foldar\\windows.exe Restart" C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{23P1S1BR-F560-376J-LV8X-PNDLP3T3X126} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23P1S1BR-F560-376J-LV8X-PNDLP3T3X126}\StubPath = "C:\\Windows\\system32\\foldar\\windows.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\foldar\\windows.exe" C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\foldar\\windows.exe" C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\foldar\windows.exe C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
File opened for modification C:\Windows\SysWOW64\foldar\windows.exe C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
File opened for modification C:\Windows\SysWOW64\foldar\windows.exe C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
File opened for modification C:\Windows\SysWOW64\foldar\ C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\foldar\windows.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE
PID 3820 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe

"C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe

"C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe"

C:\Windows\SysWOW64\foldar\windows.exe

"C:\Windows\system32\foldar\windows.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2540 -ip 2540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 608

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 20.189.173.13:443 tcp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp
US 8.8.8.8:53 mohammad2010.no-ip.biz udp

Files

memory/3820-132-0x0000000000400000-0x0000000000497000-memory.dmp

memory/3820-133-0x0000000002250000-0x00000000022A3000-memory.dmp

memory/3820-134-0x0000000000400000-0x0000000000497000-memory.dmp

memory/3820-136-0x0000000024010000-0x0000000024072000-memory.dmp

memory/764-140-0x0000000000000000-mapping.dmp

memory/3820-141-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/764-144-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 4f632f71edbb00ea9c46f8bf4846a3f3
SHA1 a9f3199344b4583567aea525ce732c8c483b98e6
SHA256 dee6864f9e0ba0c3c43e3212e1aa1861000d9a9cb567e06a1989d33f94118bb6
SHA512 5c45bd3f493411d81f0b65ca438d88662dc6c073c4c1c3f8de3c0efd4607e57304585e46182303939508624a231bda51c12082ed44c9bfde9e7e575988947ab2

C:\Windows\SysWOW64\foldar\windows.exe

MD5 09d2422a5358c2e3dcc9f47d87c19a4c
SHA1 b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40
SHA256 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78
SHA512 ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355

memory/764-147-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1136-149-0x0000000000000000-mapping.dmp

memory/3820-150-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/3820-154-0x0000000002250000-0x00000000022A3000-memory.dmp

memory/1136-153-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/3820-155-0x0000000000400000-0x0000000000497000-memory.dmp

memory/1136-156-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/2540-157-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\foldar\windows.exe

MD5 09d2422a5358c2e3dcc9f47d87c19a4c
SHA1 b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40
SHA256 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78
SHA512 ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355

memory/2540-159-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2540-160-0x0000000000640000-0x0000000000693000-memory.dmp

memory/2540-161-0x0000000000400000-0x0000000000497000-memory.dmp

memory/1136-162-0x00000000240F0000-0x0000000024152000-memory.dmp