Malware Analysis Report

2025-08-05 12:35

Sample ID 221106-lvmlwsggdm
Target 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
Tags
cybergate öííé persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc

Threat Level: Known bad

The file 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc was found to be: Known bad.

Malicious Activity Summary

cybergate öííé persistence stealer trojan upx

CyberGate, Rebhip

Suspicious use of NtCreateProcessExOtherParentProcess

Adds policy Run key to start application

UPX packed file

Executes dropped EXE

Modifies Installed Components in the registry

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 09:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 09:51

Reported

2022-11-06 11:46

Platform

win7-20220812-en

Max time kernel

152s

Max time network

56s

Command Line

C:\Windows\system32\lsass.exe

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\bin\\windows.exe Restart" C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" C:\windows\SysWOW64\microsoft\bin\windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" C:\windows\SysWOW64\microsoft\bin\windows.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\bin C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
File created C:\Windows\SysWOW64\bin\help.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
File opened for modification C:\Windows\SysWOW64\bin\help.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\bin\windows.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\bin\ C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
File created \??\c:\windows\SysWOW64\microsoft\bin\windows.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\bin\windows.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
File opened for modification C:\windows\SysWOW64\microsoft\bin\windows.exe C:\windows\SysWOW64\microsoft\bin\windows.exe N/A
File opened for modification C:\Windows\SysWOW64\bin\help.exe C:\windows\SysWOW64\microsoft\bin\windows.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 780 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 780 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 780 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 780 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 780 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 780 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 780 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 780 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 1920 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1920 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1920 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1920 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1904 wrote to memory of 1936 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1904 wrote to memory of 1936 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1904 wrote to memory of 1936 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1904 wrote to memory of 1936 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 1996 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

\\?\C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

"C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

"C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"

C:\windows\SysWOW64\microsoft\bin\windows.exe

"C:\windows\system32\microsoft\bin\windows.exe"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\windows\SysWOW64\microsoft\bin\windows.exe

C:\windows\SysWOW64\microsoft\bin\windows.exe

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 tunisia-sat.no-ip.biz udp
N/A 127.0.0.1:8081 tcp
N/A 127.0.0.1:8081 tcp
N/A 127.0.0.1:8081 tcp
N/A 127.0.0.1:8081 tcp

Files

memory/780-54-0x0000000076121000-0x0000000076123000-memory.dmp

\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

memory/1920-55-0x0000000000000000-mapping.dmp

memory/1996-57-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1996-60-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1996-61-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1996-58-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1996-62-0x0000000000457D30-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

memory/780-65-0x0000000000250000-0x0000000000254000-memory.dmp

memory/1904-66-0x0000000000000000-mapping.dmp

memory/1996-68-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1996-69-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1936-70-0x0000000000000000-mapping.dmp

memory/1996-71-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1996-73-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1420-76-0x0000000024010000-0x0000000024072000-memory.dmp

memory/584-79-0x0000000000000000-mapping.dmp

memory/584-81-0x0000000074CA1000-0x0000000074CA3000-memory.dmp

memory/1996-82-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/584-87-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 b2c82cbdb8f096f842da7521b7944713
SHA1 bc6d73b2a3ab5e88e601dcee7a2dc80fa05ced54
SHA256 ea6023ee5139e5fcc3682d7a562ae7cbbe58c045f20ec5727fa61a2c4c25f33b
SHA512 27589fd68218bf7b5b2eb27d17e9145a79f027665c71ef503d9a6cd0914a8ae75801618fd20101ef01c1ebbb24c2255ef1b6bec9b73f006255da84bc6fe9533a

\??\c:\windows\SysWOW64\microsoft\bin\windows.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

memory/584-90-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1996-92-0x0000000000460000-0x00000000004C2000-memory.dmp

\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

memory/1192-97-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

memory/1996-100-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1996-106-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1192-105-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/260-107-0x0000000031770000-0x000000003177D000-memory.dmp

\Windows\SysWOW64\microsoft\bin\windows.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

memory/1356-154-0x0000000000000000-mapping.dmp

memory/1192-152-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/584-151-0x00000000318E0000-0x00000000318ED000-memory.dmp

C:\Windows\SysWOW64\microsoft\bin\windows.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

C:\Windows\SysWOW64\bin\help.exe

MD5 6003bcec2ceef7a6cca4a4e309cbf862
SHA1 025eb656406fd10f06346a2171a9468be11b0de4
SHA256 2dd53141e4b18919642002a48681fc3906b16a24637b7737aef24392a2bf0a0f
SHA512 32fd0ecc406723f8a0a1523bd846b7062e58d3c209c0c6c28b76b644e7f450e05970c4e9928c5f5ebc5cf210238268f1ed3365460e91e7f3cb0382d2336f057f

memory/1704-158-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\microsoft\bin\windows.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

memory/1692-164-0x0000000000457D30-mapping.dmp

memory/1784-168-0x0000000000000000-mapping.dmp

memory/380-170-0x0000000000000000-mapping.dmp

memory/1692-175-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1692-176-0x00000000318F0000-0x00000000318FD000-memory.dmp

memory/1692-177-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1692-178-0x00000000318F0000-0x00000000318FD000-memory.dmp

memory/584-179-0x00000000318E0000-0x00000000318ED000-memory.dmp

memory/1192-180-0x00000000240F0000-0x0000000024152000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 09:51

Reported

2022-11-06 11:46

Platform

win10v2004-20220812-en

Max time kernel

158s

Max time network

174s

Command Line

C:\Windows\system32\lsass.exe

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 1124 created 3280 N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\microsoft\bin\windows.exe

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\bin\\windows.exe Restart" C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" C:\windows\SysWOW64\microsoft\bin\windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" C:\windows\SysWOW64\microsoft\bin\windows.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\bin\help.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
File created \??\c:\windows\SysWOW64\microsoft\bin\windows.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\bin\windows.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
File opened for modification C:\windows\SysWOW64\microsoft\bin\windows.exe C:\windows\SysWOW64\microsoft\bin\windows.exe N/A
File opened for modification C:\Windows\SysWOW64\bin C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\bin\windows.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\bin\ C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
File opened for modification C:\Windows\SysWOW64\bin\help.exe C:\windows\SysWOW64\microsoft\bin\windows.exe N/A
File opened for modification C:\Windows\SysWOW64\bin\help.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 1692 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 1692 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 1692 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 1692 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 1692 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 1692 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 1692 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
PID 1660 wrote to memory of 5060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1660 wrote to memory of 5060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1660 wrote to memory of 5060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 5060 wrote to memory of 4252 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5060 wrote to memory of 4252 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5060 wrote to memory of 4252 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE
PID 4616 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -s W32Time

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

"C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

"C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"

C:\windows\SysWOW64\microsoft\bin\windows.exe

"C:\windows\system32\microsoft\bin\windows.exe"

C:\Windows\SysWOW64\cmd.exe

/c net stop MpsSvc

C:\windows\SysWOW64\microsoft\bin\windows.exe

C:\windows\SysWOW64\microsoft\bin\windows.exe

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 648

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 8746cef025cd36a47dc626f7391c34b3 eYmZbZQ62kGF77bHBITviQ.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 tunisia-sat.no-ip.biz udp
DE 20.52.64.200:443 tcp
US 72.21.91.29:80 tcp
N/A 127.0.0.1:8081 tcp
US 8.8.8.8:53 tunisia-sat.no-ip.biz udp
N/A 127.0.0.1:8081 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 tunisia-sat.no-ip.biz udp
N/A 127.0.0.1:8081 tcp
US 8.8.8.8:53 tunisia-sat.no-ip.biz udp
N/A 127.0.0.1:8081 tcp
US 8.8.8.8:53 tunisia-sat.no-ip.biz udp
N/A 127.0.0.1:8081 tcp
US 8.8.8.8:53 tunisia-sat.no-ip.biz udp
N/A 127.0.0.1:8081 tcp
US 8.8.8.8:53 tunisia-sat.no-ip.biz udp
N/A 127.0.0.1:8081 tcp
US 8.8.8.8:53 tunisia-sat.no-ip.biz udp
N/A 127.0.0.1:8081 tcp
US 8.8.8.8:53 tunisia-sat.no-ip.biz udp
N/A 127.0.0.1:8081 tcp
US 8.8.8.8:53 tunisia-sat.no-ip.biz udp

Files

memory/1692-132-0x00000000005D0000-0x00000000005D4000-memory.dmp

memory/4616-134-0x0000000000000000-mapping.dmp

memory/1660-133-0x0000000000000000-mapping.dmp

memory/4616-135-0x0000000000400000-0x0000000000459000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

memory/4616-138-0x0000000000400000-0x0000000000459000-memory.dmp

memory/5060-139-0x0000000000000000-mapping.dmp

memory/4616-140-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4252-141-0x0000000000000000-mapping.dmp

memory/4616-142-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4616-144-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4152-148-0x0000000000000000-mapping.dmp

memory/4616-149-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4152-152-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4152-153-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 b2c82cbdb8f096f842da7521b7944713
SHA1 bc6d73b2a3ab5e88e601dcee7a2dc80fa05ced54
SHA256 ea6023ee5139e5fcc3682d7a562ae7cbbe58c045f20ec5727fa61a2c4c25f33b
SHA512 27589fd68218bf7b5b2eb27d17e9145a79f027665c71ef503d9a6cd0914a8ae75801618fd20101ef01c1ebbb24c2255ef1b6bec9b73f006255da84bc6fe9533a

\??\c:\windows\SysWOW64\microsoft\bin\windows.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

memory/4616-157-0x00000000023E0000-0x0000000002442000-memory.dmp

memory/2064-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

memory/4616-163-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/4616-167-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2064-166-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/4152-168-0x0000000031B80000-0x0000000031B8D000-memory.dmp

memory/2064-169-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1244-170-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\microsoft\bin\windows.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

C:\Windows\SysWOW64\bin\help.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

memory/4168-173-0x0000000000000000-mapping.dmp

memory/3280-174-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\microsoft\bin\windows.exe

MD5 2184e73b4a2ecee7a726b2d7f8374946
SHA1 8dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA256 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA512 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6

memory/3280-178-0x0000000000400000-0x0000000000459000-memory.dmp

memory/3280-179-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1988-180-0x0000000000000000-mapping.dmp

memory/3660-181-0x0000000000000000-mapping.dmp

memory/4168-182-0x0000000031BA0000-0x0000000031BAD000-memory.dmp

memory/4168-183-0x0000000031BA0000-0x0000000031BAD000-memory.dmp

memory/3280-184-0x0000000031BB0000-0x0000000031BBD000-memory.dmp

memory/3280-185-0x0000000000400000-0x0000000000459000-memory.dmp

memory/3280-186-0x0000000031BB0000-0x0000000031BBD000-memory.dmp

memory/1124-187-0x0000000031BD0000-0x0000000031BDD000-memory.dmp

memory/4940-188-0x0000000031BF0000-0x0000000031BFD000-memory.dmp

memory/4940-189-0x0000000031BF0000-0x0000000031BFD000-memory.dmp

memory/4152-190-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4152-191-0x0000000031B80000-0x0000000031B8D000-memory.dmp

memory/2064-192-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/4696-193-0x0000000031C10000-0x0000000031C1D000-memory.dmp

memory/4696-194-0x0000000031C10000-0x0000000031C1D000-memory.dmp

memory/4940-195-0x0000000031BF0000-0x0000000031BFD000-memory.dmp

memory/4696-196-0x0000000031C10000-0x0000000031C1D000-memory.dmp

memory/4696-197-0x0000000031C10000-0x0000000031C1D000-memory.dmp