Malware Analysis Report

2025-08-05 12:38

Sample ID 221106-mx9d4saffn
Target 9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed
SHA256 9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed
Tags
cybergate antivirus persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed

Threat Level: Known bad

The file 9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed was found to be: Known bad.

Malicious Activity Summary

cybergate antivirus persistence stealer trojan

CyberGate, Rebhip

Modifies Installed Components in the registry

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 10:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 10:51

Reported

2022-11-06 13:11

Platform

win7-20220901-en

Max time kernel

150s

Max time network

68s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Win32\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Win32\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Win32\explorer.exe N/A
N/A N/A C:\Windows\Win32\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{JRB507X3-63Y8-78IL-0W1R-J620BKA040MX} C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{JRB507X3-63Y8-78IL-0W1R-J620BKA040MX}\StubPath = "C:\\Windows\\Win32\\explorer.exe Restart" C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{JRB507X3-63Y8-78IL-0W1R-J620BKA040MX} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{JRB507X3-63Y8-78IL-0W1R-J620BKA040MX}\StubPath = "C:\\Windows\\Win32\\explorer.exe" C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Win32\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Win32\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Win32\explorer.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
File opened for modification C:\Windows\Win32\explorer.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
File opened for modification C:\Windows\Win32\explorer.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
File opened for modification C:\Windows\Win32\ C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
File opened for modification C:\Windows\Win32\explorer.exe C:\Windows\Win32\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
N/A N/A C:\Windows\Win32\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1200 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1200 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1200 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1200 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1200 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1200 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1200 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1200 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1200 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1200 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1200 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 1056 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe

"C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe"

C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe

C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe

"C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe"

C:\Windows\Win32\explorer.exe

"C:\Windows\Win32\explorer.exe"

C:\Windows\Win32\explorer.exe

C:\Windows\Win32\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 hugui-201181.no-ip.biz udp

Files

memory/1056-56-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1056-57-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1056-59-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1056-60-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1056-61-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1056-62-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1056-63-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1056-65-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1056-66-0x000000000040BBF4-mapping.dmp

memory/1200-68-0x0000000000400000-0x000000000040E001-memory.dmp

memory/1056-67-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1056-69-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

memory/1056-70-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1056-71-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1056-73-0x0000000010410000-0x000000001046C000-memory.dmp

memory/1400-79-0x0000000010410000-0x000000001046C000-memory.dmp

memory/1212-82-0x0000000000000000-mapping.dmp

memory/1212-84-0x0000000075041000-0x0000000075043000-memory.dmp

memory/1056-85-0x0000000010470000-0x00000000104CC000-memory.dmp

memory/1212-93-0x0000000010470000-0x00000000104CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 3b4d13625487c38ad92351873c7944f6
SHA1 a5024b629b666189f3b0f8832e28463e430d27b2
SHA256 307edf4b923f603a4a4113661155767c08c5db805e545323dc1139c3153c2210
SHA512 ef957ee6fb96c72c1a7d58d02acdfd4761b2339a8f2d2217884e2958953a4628d64c7835a2815f68ebd922dccd392dd5e69058f14832b802d26dabf5a3ab3569

C:\Windows\Win32\explorer.exe

MD5 312f3a3eb91eed8d7673e93dfc61db5b
SHA1 9c29e1bf2ce4b3e5a6395e4e4805124bd4354c64
SHA256 9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed
SHA512 359452472f1a7d6ce8a16bee96794c5dc89fbb19cc8aacb2afed83ca5ba909ba51951998ee8069f928ba3f0f809a0e62f2f69c70008c47a1274d08c00660301f

memory/1056-97-0x00000000104D0000-0x000000001052C000-memory.dmp

memory/2892-104-0x0000000000000000-mapping.dmp

memory/1056-105-0x0000000010530000-0x000000001058C000-memory.dmp

memory/1056-113-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2892-115-0x0000000010530000-0x000000001058C000-memory.dmp

memory/2892-114-0x0000000000400000-0x000000000040E001-memory.dmp

memory/4300-118-0x0000000000000000-mapping.dmp

\Windows\Win32\explorer.exe

MD5 312f3a3eb91eed8d7673e93dfc61db5b
SHA1 9c29e1bf2ce4b3e5a6395e4e4805124bd4354c64
SHA256 9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed
SHA512 359452472f1a7d6ce8a16bee96794c5dc89fbb19cc8aacb2afed83ca5ba909ba51951998ee8069f928ba3f0f809a0e62f2f69c70008c47a1274d08c00660301f

\Windows\Win32\explorer.exe

MD5 312f3a3eb91eed8d7673e93dfc61db5b
SHA1 9c29e1bf2ce4b3e5a6395e4e4805124bd4354c64
SHA256 9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed
SHA512 359452472f1a7d6ce8a16bee96794c5dc89fbb19cc8aacb2afed83ca5ba909ba51951998ee8069f928ba3f0f809a0e62f2f69c70008c47a1274d08c00660301f

C:\Windows\Win32\explorer.exe

MD5 312f3a3eb91eed8d7673e93dfc61db5b
SHA1 9c29e1bf2ce4b3e5a6395e4e4805124bd4354c64
SHA256 9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed
SHA512 359452472f1a7d6ce8a16bee96794c5dc89fbb19cc8aacb2afed83ca5ba909ba51951998ee8069f928ba3f0f809a0e62f2f69c70008c47a1274d08c00660301f

C:\Windows\Win32\explorer.exe

MD5 312f3a3eb91eed8d7673e93dfc61db5b
SHA1 9c29e1bf2ce4b3e5a6395e4e4805124bd4354c64
SHA256 9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed
SHA512 359452472f1a7d6ce8a16bee96794c5dc89fbb19cc8aacb2afed83ca5ba909ba51951998ee8069f928ba3f0f809a0e62f2f69c70008c47a1274d08c00660301f

memory/4332-132-0x000000000040BBF4-mapping.dmp

memory/4300-135-0x0000000000400000-0x000000000040E001-memory.dmp

memory/4332-137-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2892-138-0x000000000AB10000-0x000000000AB1F000-memory.dmp

memory/2892-139-0x000000000AB10000-0x000000000AB1F000-memory.dmp

memory/4332-140-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4332-141-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1212-142-0x0000000010470000-0x00000000104CC000-memory.dmp

memory/2892-143-0x0000000010530000-0x000000001058C000-memory.dmp

memory/2892-144-0x000000000AB10000-0x000000000AB1F000-memory.dmp

memory/2892-145-0x000000000AB10000-0x000000000AB1F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 10:51

Reported

2022-11-06 13:11

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Win32\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Win32\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Win32\explorer.exe N/A
N/A N/A C:\Windows\Win32\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{JRB507X3-63Y8-78IL-0W1R-J620BKA040MX} C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{JRB507X3-63Y8-78IL-0W1R-J620BKA040MX}\StubPath = "C:\\Windows\\Win32\\explorer.exe Restart" C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{JRB507X3-63Y8-78IL-0W1R-J620BKA040MX} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{JRB507X3-63Y8-78IL-0W1R-J620BKA040MX}\StubPath = "C:\\Windows\\Win32\\explorer.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Win32\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Win32\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B64E6DEE-3668-4C35-A37C-06F6CF5CF15E}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EEE09BA1-BD0A-4183-9808-6DC3656C4316}.catalogItem C:\Windows\System32\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Win32\explorer.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
File opened for modification C:\Windows\Win32\explorer.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
File opened for modification C:\Windows\Win32\explorer.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
File opened for modification C:\Windows\Win32\ C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
File opened for modification C:\Windows\Win32\explorer.exe C:\Windows\Win32\explorer.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Win32\explorer.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe N/A
N/A N/A C:\Windows\Win32\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 1152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE
PID 2380 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe

"C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe"

C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe

C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe

"C:\Users\Admin\AppData\Local\Temp\9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed.exe"

C:\Windows\Win32\explorer.exe

"C:\Windows\Win32\explorer.exe"

C:\Windows\Win32\explorer.exe

C:\Windows\Win32\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5828 -ip 5828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 532

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp
US 8.8.8.8:53 hugui-201181.no-ip.biz udp

Files

memory/1152-132-0x0000000000400000-0x000000000040E001-memory.dmp

memory/2380-135-0x0000000000000000-mapping.dmp

memory/2380-136-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2380-137-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1152-138-0x0000000000400000-0x000000000040E001-memory.dmp

memory/2380-139-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2380-140-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2380-142-0x0000000010410000-0x000000001046C000-memory.dmp

memory/3232-149-0x0000000000000000-mapping.dmp

memory/2380-150-0x0000000010470000-0x00000000104CC000-memory.dmp

memory/3232-156-0x0000000010470000-0x00000000104CC000-memory.dmp

memory/2380-158-0x00000000104D0000-0x000000001052C000-memory.dmp

memory/2700-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 3b4d13625487c38ad92351873c7944f6
SHA1 a5024b629b666189f3b0f8832e28463e430d27b2
SHA256 307edf4b923f603a4a4113661155767c08c5db805e545323dc1139c3153c2210
SHA512 ef957ee6fb96c72c1a7d58d02acdfd4761b2339a8f2d2217884e2958953a4628d64c7835a2815f68ebd922dccd392dd5e69058f14832b802d26dabf5a3ab3569

C:\Windows\Win32\explorer.exe

MD5 312f3a3eb91eed8d7673e93dfc61db5b
SHA1 9c29e1bf2ce4b3e5a6395e4e4805124bd4354c64
SHA256 9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed
SHA512 359452472f1a7d6ce8a16bee96794c5dc89fbb19cc8aacb2afed83ca5ba909ba51951998ee8069f928ba3f0f809a0e62f2f69c70008c47a1274d08c00660301f

memory/2380-168-0x0000000010530000-0x000000001058C000-memory.dmp

memory/2380-174-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2700-175-0x0000000000400000-0x000000000040E001-memory.dmp

memory/2700-176-0x0000000010530000-0x000000001058C000-memory.dmp

memory/5792-177-0x0000000000000000-mapping.dmp

C:\Windows\Win32\explorer.exe

MD5 312f3a3eb91eed8d7673e93dfc61db5b
SHA1 9c29e1bf2ce4b3e5a6395e4e4805124bd4354c64
SHA256 9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed
SHA512 359452472f1a7d6ce8a16bee96794c5dc89fbb19cc8aacb2afed83ca5ba909ba51951998ee8069f928ba3f0f809a0e62f2f69c70008c47a1274d08c00660301f

memory/5792-181-0x0000000000400000-0x000000000040E001-memory.dmp

memory/5828-182-0x0000000000000000-mapping.dmp

C:\Windows\Win32\explorer.exe

MD5 312f3a3eb91eed8d7673e93dfc61db5b
SHA1 9c29e1bf2ce4b3e5a6395e4e4805124bd4354c64
SHA256 9d80b11d4d974808576316ed7a4283e0b3e3b909481ebbdc3245fc1b52f1a5ed
SHA512 359452472f1a7d6ce8a16bee96794c5dc89fbb19cc8aacb2afed83ca5ba909ba51951998ee8069f928ba3f0f809a0e62f2f69c70008c47a1274d08c00660301f

memory/5828-186-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/5792-187-0x0000000000400000-0x000000000040E001-memory.dmp

memory/5828-188-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3232-189-0x0000000010470000-0x00000000104CC000-memory.dmp

memory/2700-190-0x0000000010530000-0x000000001058C000-memory.dmp