Malware Analysis Report

2024-12-07 20:37

Sample ID 240214-en8r8agf2t
Target 9ab644449c7139b4ae722c8044383e4b
SHA256 5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1
Tags
cybergate vítima persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1

Threat Level: Known bad

The file 9ab644449c7139b4ae722c8044383e4b was found to be: Known bad.

Malicious Activity Summary

cybergate vítima persistence stealer trojan upx

CyberGate, Rebhip

Cybergate family

Adds policy Run key to start application

Modifies Installed Components in the registry

UPX packed file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-14 04:06

Signatures

Cybergate family

cybergate

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-14 04:06

Reported

2024-02-14 04:08

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\install\server.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe

"C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe

"C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe"

C:\install\server.exe

"C:\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4708 -ip 4708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp

Files

memory/228-0-0x0000000000400000-0x0000000000457000-memory.dmp

memory/228-4-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4960-8-0x0000000000F00000-0x0000000000F01000-memory.dmp

memory/4960-9-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/228-64-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4960-67-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

memory/4960-69-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4960-68-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 aff8d61a4d637ffc0827d306cf7520d3
SHA1 1eeee92063db4ef2f07fd0921f88fdea17d6caa2
SHA256 cc4c5fb0c6756fd11040bdcbdc1120f441e8b5d40c7dbc84c5cee5f0e55dfb85
SHA512 a22d099084614c32e27a3423d3acf811373ca0ca9b15f5426db23fa4f0d52f65624b0ce1b4012d7f4b39195029e3895c0798acde6b0e7cc5d02fb7b504c35d12

C:\install\server.exe

MD5 9ab644449c7139b4ae722c8044383e4b
SHA1 04356f283d8278241598c5d97261344bcb2fd8d1
SHA256 5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1
SHA512 f45cc5cf5bf52ae93a7ab8c921e31999f083c71508997e50cf7bb99cbd8ecc7bd3d77301ac5117ecf3eb414fbed465f82b2d5cac05a3f6dca5e180baae0c8fc9

memory/492-80-0x0000000000400000-0x0000000000457000-memory.dmp

memory/228-86-0x0000000000400000-0x0000000000457000-memory.dmp

memory/492-141-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/228-142-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/4708-161-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4708-163-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4960-164-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 27ef41b4fd770609a937a87d8b2f2b31
SHA1 70eb54c3c4276fe97e4f7ebe194733f8529f2304
SHA256 7dcd486e3613928ff4ebe8fdc404d1c272abc65b0eb055c9631398cb1887d172
SHA512 ed873a73b5c19de58cae03297e769050554037d7a61a2e20a0e4cbcc5b251d43934fed4daf4678adfcef18f3aee565a4fac614f4892f5588547325a9e9e2aa42

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9536ad566fec5667371ad4d1489999e6
SHA1 a343609177a19fefa8f464aa59318710997a57a5
SHA256 ef72cde5d3cab6d4de4f9c9482e48dfd5b29c3de293c7fcd7c237697ab5512d2
SHA512 ae509e5f5c921f518659c5a6aaa8567fb3e85bcc3b0edce730ec6eca4980102cff94bb4f834a2da4711dd39f5b3526311245dc2ecb24cf265a1a7e7caca4f867

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 356d645d30ef8cc0f7bade03c7d0b78d
SHA1 2872c08c7095904a5c494b10344d2f1af1275cb4
SHA256 12f78f6d9964f8b3ce7a006c9f5d59aaa2ff223f371e98a439baddcecd78c017
SHA512 1388dde17e9b70ca66d83ea6a1483c1c1e70150fa757f518be91b27aa440a573b1013df76a0b595dfd824b5c67447effe73bb6737e9a8c364f9a79d0eb66afc3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 24e0049a0e2889e5bfcbd3059679c0e1
SHA1 767b61a091b38727260b48390dac66aef7262d6f
SHA256 cff074ca5c8754614fcf06338b43bebd7a9bdb5e1bc01ed5190da415607ae1b5
SHA512 be82f5a630558ab91a70bdb04c4f0a063fa506a5ad4f3dd59eb3bf209e7350615217ecd457616330eca6bbeb4da6b2e94247b5c2dcd7bb09984168c2d339b1b6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 261d78a60d6dc0113e04d3400cf5eece
SHA1 677e34fe84571a4e4a78155462c70a8336e77d6a
SHA256 7632a0f6e8b79c6a44892114a1cb743ebde854a9540c1e4befe8c5b83a49f6b0
SHA512 1408d2e40753efa0b2632292c47408d26a6ac40856d76ce575c6d037c7c84fa2bfd9cc93c2a93ff64c19f966cfe4506a94dee1597a55772be397e4757901dbee

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2bf26ea3ce57dd9e8de502ea964806ad
SHA1 40640f2c5e1ac60cd2d3951f2c84a2a904e27eee
SHA256 0fe0e4175e823bd6daf42b3e0d5d4b69470b266b668caa1bb280f15c80d6c9ad
SHA512 c16a8296fd890e614dc539f5637c758866bf59d98568079e40ef59da3d238c8dcc726c8105578ac40cb5de23670d1de66c7d032ef9c9af114e1f56816691a798

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a7b5263fdf620f6c7b9311e7ff3d0249
SHA1 2f59150dbf45b72e22e5abb7a4adf8e69c6a9a79
SHA256 1d9beb074ddc6068f813da05b7c9e6ac45353f125de99b9054f5747cfdf17bce
SHA512 e8b4ab57c4628827ad49207294cf475d9732a2907dbf683b33f55f5645df6d66887317fc9704800502b1ccbd5b3279f5f92550c396c6e1d590d4d7d582ec0446

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6eb89725c509bf525899911f409d92e6
SHA1 f9c63b0d2e6e5a47318511f6eaf2928dbdde6be6
SHA256 534bb73ec0ab4585ba24b4c291f4775a11bd1838a9321a5fc2cc8a0473a372a1
SHA512 9b4d59bf951396160e5bde470a48e4198ca8ef9ad16059c568e74650f2e7b3ec4689ae21443aa9b1259d858aa76a5c8c2e8cbf983d362d2f701ed85a1172d491

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a01620835aab62bb0bb94a66f2359f01
SHA1 fe6f5075934a70cb4f13085e9550f77804b121bf
SHA256 852b2b473cbb31131aaa9e0ce7d17ec79116b322e4d323dd01c417a804bab7ed
SHA512 fb77a5e1d120c9c1a1184be1e3c2264c151b5cd575c072f30e3a9ad635a8749a4a0b05d0dc39a351a494a11be0de3ede5fc2861b57229db688e1390f70a12ef8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 02c982a8239db4a202df1d27c3990f55
SHA1 e14eb4ba7f2a0a15f0dedb5e1686084066baefe5
SHA256 8a1bd9cb65010b27d00ddde938161c3906ad1357e62263b849345e2fe53abeba
SHA512 05d165e885d6fdbcf253c9df07ba96a2d7badfd511bd9a14a1ea4b379f1ef88a20fbd8b0822e2c4ad4946386571d3c1c7b81aeb4c960b3275ce604d345481806

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e8b27a20cc44cbcb84b8e6f07ef87160
SHA1 9c494a2fb300a900a7a38a6e900f978178607c44
SHA256 b3d4dc1f80d3910f289f56c3a488162569c99c78f77d866e6e9ce2f28c8b4336
SHA512 c8e0dc5f0caa39c96fa137c375b2eea466fcfd03414a0c21a7b7800741c92ae3fc65990efd480ce998d35c29dbca33abe4da7bf556997e239941e18f32b7aa49

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7fb9b01e601a94b5432b4de5f8799e75
SHA1 ebf9651621a9c1a6ce69b1fb10dd2e6a2d05b547
SHA256 fb4c981fe8d8f99956012901d7d97b59412830ced45cdb01cb6ece83156e0e16
SHA512 49255e54753606294d2a8faf74235846a29dcc13078ec1d66eff10c0a963a518d4f74789a5beae8ec7bd3e9fb02a9fb214f56d7426b6fee5335469675c9a316c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 90e8196425c73cadef66a7dbe59d9985
SHA1 ad037f1eb679ff0fba0d6e5fb8654acb0d7d33c9
SHA256 e8b2e1dcd796b149617b1077e0a57ff70250a61d9d3fb1d5d9f54f7741bf2678
SHA512 2839739f202cd0bbbd59816b4ac241e8ef2fe64545c600c69917b683fac61cd9c77d99aa000ac72c45ec0390df74aa0fac90eda267e29a48eeeeb33862aa40cd

memory/492-1340-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8940140c459d57aa333e5073da9edb2e
SHA1 8451be1406e301039f3a6aacb5e139e5d82b0d63
SHA256 14859a2eb349ec692843e42a2d78eac0b54238e82c9bb65be30385d20974563c
SHA512 9e326e9f8839d5cc7022de013aa5f9a3056416074114943643a6740bb3909da9fde630d2f96113e733650576722577e8ba0e8605fba51106643a796d0787f5e8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9a053bbd4fd1a8022682a5855ec3ec54
SHA1 8d9ba8ae8b19190bf65346b80b777ecc49a2f1e9
SHA256 bb11347af7332145753dba167e3aaed9dbec2715ba6175a7a3d96d978479badd
SHA512 947d942b299cf50f74d65a38c17a588c90747892240a12dff517d630427051bd44117930705fbb7003d579c8a7cd4394f465804d4f43a0df376674eaa37532e1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7a419fa13f909f1f0369c33f712bf69f
SHA1 0c53de9d92dd5cde6c749f3cb08926950cd5f85d
SHA256 3648e80cbccac2c3d9460898e68dfb2acef7a9a19d1aa32f9ec486ce8edfd194
SHA512 90c37e822027360e2cb7b6f44248ef2d1fef3202d3b7ea1a25d808f42d25a363fd1cb80fe9beab2145c91d9b1cb8604f86105d90cd3ce6b0f147b31474c7cb5e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cbec63c228fcde5203bb9f417989bbf0
SHA1 cd071bc590275a24ec5146ef7191b051aa22fbf2
SHA256 214af02e361ed988b19e71a7a64bb6d93547bb3ce6b5cb5e4f6f84d442806fbb
SHA512 ac9df3a32b256af56f19a0f59af9f9c87fbde247c023773556215c69df2a23253dc6969df9e86f1dc33eb33edc71ff0b284d04d03d9017019161e31f563dd0cb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 322c992457627f4c4b67107396e0c1d1
SHA1 c89d7dac89ccaeec73227d1c716e5e3be79ed47f
SHA256 cc1adf73f40be7a0c44fc56cef116eb6029d31c61801942899c64f9222db9755
SHA512 2f18213447342f14adb03efdd5c2b9f9e49dfd5a1ca2cbb4a130315f417ad265792d96b743dfdc9f7180dbb522b7d8f6b11c4d20baa6ea904bca30f3be563429

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 82bceba2fe6edc73efb430386fec2261
SHA1 c947ed2e42c0a9f4eddce7c1c01cbecd7fe203ae
SHA256 0003cb6ab09256144dd7687415221c63f231b7e5dc03e5be62a54d86f320d3c6
SHA512 a24efeeccfe13557434277539169b754b577e8da8752009ce6a027248157073165529cce35cb910b53fc05cedc45d87034c8df5869fd43ade29875b3d269021a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4903030b99109e6ff740eda7e5c71164
SHA1 ef1e04e88789db1dcd35aaf7adbdf5f42e982d0e
SHA256 0a4eaa644a132a585f43620e13ad78fbaff7641a7197512a8f7815ff83b832c0
SHA512 50183a6919ab7c6c1985444a107d0c989af7962e6170497ef8c1bc1638a1ad13145b572edb2d6b2ee4f55b924c53bc83138039d0e3cb79b3696ca46790faf029

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-14 04:06

Reported

2024-02-14 04:08

Platform

win7-20231129-en

Max time kernel

142s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE
PID 2900 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe

"C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

N/A

Files

memory/2900-0-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1392-4-0x0000000002500000-0x0000000002501000-memory.dmp

memory/608-245-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2900-248-0x0000000000400000-0x0000000000457000-memory.dmp