Malware Analysis Report

2024-12-07 20:28

Sample ID 240311-q81swscd3w
Target c0c225e9ae2c853eb7ed5b3349e04081
SHA256 045c99196c1bdd7c3c199365876db6b4df7bbb748d75e2af6adc798ea0b2e21f
Tags
cybergate vítima persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

045c99196c1bdd7c3c199365876db6b4df7bbb748d75e2af6adc798ea0b2e21f

Threat Level: Known bad

The file c0c225e9ae2c853eb7ed5b3349e04081 was found to be: Known bad.

Malicious Activity Summary

cybergate vítima persistence stealer trojan upx

CyberGate, Rebhip

Modifies Installed Components in the registry

Adds policy Run key to start application

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 13:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 13:56

Reported

2024-03-11 14:01

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\iexplorer.exe" C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\iexplorer.exe" C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\iexplorer.exe Restart" C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\iexplorer.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\iexplorer.exe" C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\iexplorer.exe" C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\spynet\iexplorer.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\iexplorer.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\iexplorer.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\ C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\iexplorer.exe C:\Windows\SysWOW64\spynet\iexplorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
N/A N/A C:\Windows\SysWOW64\spynet\iexplorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1284 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe

"C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe"

C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe

C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe

"C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe"

C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe

"C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe"

C:\Windows\SysWOW64\spynet\iexplorer.exe

"C:\Windows\system32\spynet\iexplorer.exe"

C:\Windows\SysWOW64\spynet\iexplorer.exe

C:\Windows\SysWOW64\spynet\iexplorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3020-2-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3020-3-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3020-4-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3020-5-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1200-9-0x0000000002950000-0x0000000002951000-memory.dmp

memory/2664-254-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2664-253-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/3020-534-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2664-535-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 3a227c36e41ee0fdddb4245676374fda
SHA1 0d6150da0476f3d3b3f53b8146cde8464d13d52c
SHA256 83cbbeb798040c68346f46f8f80f058a6aef01adf65309239dbd46d2a3602228
SHA512 04dbbf5de36ce8875ab2e021577540bb4bedd2b1498a69a924315c4a0a6cf0f2b6c80dcc0646afa4f724ffa96bfdd620a1c34a528bc4b9ac31edcd2bd62f8219

C:\Windows\SysWOW64\spynet\iexplorer.exe

MD5 c0c225e9ae2c853eb7ed5b3349e04081
SHA1 abcb002a06b138ab79694bdd1da119c8430faa68
SHA256 045c99196c1bdd7c3c199365876db6b4df7bbb748d75e2af6adc798ea0b2e21f
SHA512 6183a975c33fdf4b3d6962982381424df9ca6dceddeb0695635e8fb677ff1536c06fbe46a8016e94489d3c3fe916c1a3aac08665220d770c685621e1063f5479

memory/1824-841-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/3020-842-0x0000000000400000-0x0000000000488000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe

MD5 85836e853dfd49a4d92ba5a851a0b2e8
SHA1 f4d66e1350ef8f17aa769d7b81adfb5b8e634793
SHA256 b399cba99301d54470ca657319517bc29b2b6c85487b0b4190da530d51160c6d
SHA512 aef8ed3268be8cf2985a5ea9c0b7a5d359225c00d6afef5d3fe6ddeaff1a1da357d4068a93fd76f86583ff7a53f469924a361f27b855fea4764354d3b5f94e09

memory/2664-873-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1824-875-0x0000000005700000-0x0000000005797000-memory.dmp

memory/2960-876-0x0000000000400000-0x0000000000497000-memory.dmp

memory/1824-877-0x0000000005700000-0x0000000005797000-memory.dmp

memory/2960-878-0x0000000000230000-0x0000000000231000-memory.dmp

\Windows\SysWOW64\spynet\iexplorer.exe

MD5 f09cb51a613ba44089ddd47112dff76d
SHA1 1b748cad3e800a3cb9326933a7135f7a5aa06707
SHA256 10e4e3eb346c268ecec11049ef9bc5294595d78994805f6a57a46115de733cf1
SHA512 13c9b82b558e8f1c36f438b779ae9395f32584fbecf14a8d2bc9251ec724c8694b75dc79a16f0a9d97feaea213c45f9e5aac0a0b1bd5c986420d54c72c3c75fd

memory/1988-888-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1988-891-0x0000000000400000-0x0000000000488000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 03fbec0b667e1443323714e4906b10ea
SHA1 87e9ad83dba38f95f7a2bb8c4cb3ec493b8fe266
SHA256 9156486aa2c7679d23ac4cea25a9c469a8d7b7805878da8081a88955dc6ba969
SHA512 2fe5e952688540d92a7084a3f56b7de87c517ae02cc4f03cc58e10949f4c5047692bcbb703d50c0a6b0364b5412699d98455309011c39b43444d5d3b4639dd3c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 91a4eaf14ba3094803f34a928dae790a
SHA1 a9a2b89b76910fb4daa20e5f47a1cb35c90f3873
SHA256 1f95e62753f9bb048b61b2f36c9c931a5417a824ca478a4e866fb9bd2e46ecda
SHA512 155cc6b3f6f08742d707bebdf820a12fe19f2eed3de934b5d6ee8096c238f2d0a2c093c5be5791f8d39c169b2793b34ccde1d645cd0c3a539a4bbef8ef148349

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 92594d799f0ca167c93fce0fb3e87651
SHA1 97c68e3b1f177861cd5e6835961873beb079c243
SHA256 35a92849f11773a286b19561869539cf2bb41e0a5070b4e5ac37eaaef9bda0da
SHA512 25ee4d5001c592ff4157ff4bf3a041ff60c8b4a090e6f7a41919d33eb39081524859a39af298264ff99924240828d2e2cb73878fcbee52d264ad902a8b0c5f15

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ea97080ac24ffdd270359012de850fe3
SHA1 08c28f0048ab4285a716d82199662d1e19295e4a
SHA256 b4a9af827bd23d1e3c404a97867756448d3c352380ef3738837ff3653a63ad82
SHA512 f14c4f7ed36e120c6f3a3d116f447d01e3db11304526d2a15a83c138165128426d6d921803722971f725450197e5d576ccc371cf5fabf3ad237d8ba24862de5e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 53aaa0c196f4f5cff98ac8b6263c7872
SHA1 36ea7e60be7bc12af40019a4da91c480a83a868f
SHA256 f0af50f92d7f464ee445fb7a2fec5a47873f2af40834e0beb3cadb056cec9c22
SHA512 24f74b58e3f0d0c6aa72be0a5c21201de4b348163a4d638a5f518e6ba941bbef642d0c63cd08e50d850b0dd8a7d405344cff39c38ee651dce9d31e2d61818bdb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 14cf90bb45d5544ab434f0172ec50d10
SHA1 a0d777af13eea732795a2eaa6f87a22c9570ed6a
SHA256 84a6790f5457499314be841085672c0c642d7aa3bcf82ffeea2e78b5611fce59
SHA512 4cdcd95eae1b92dc2a881341bdee56ba39e671151db7c146fdbdb891a7094bb2e641fc33bafdba102c8be7ad67a3c7aee6bc1900886f8c84da04fbcc92cc6302

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 72569147ff7f638377130ebcc9d09806
SHA1 5f8afe7ad1efbb0a48494eee47f6d68b6085b297
SHA256 9db9a68d94756db7eb89c086d694465de6813b8579d2feb526df9223c71b6418
SHA512 700a07fda55805e3a7088d8b064426f85fe25805ec33b64ebc29b7a6800364330bba37f0523aec28cf5a932d956a64222147e0be270db0cc4cbf856eb2f55410

memory/1824-1223-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6e77d05e560adf001080a2f12c2350eb
SHA1 26c3ff2ddadd38a1e1cf1355d7280bde4db3d67b
SHA256 0b1b58320cf1528e24f90c6b9869f428f8931b7103579b1a5f5e766212b98c59
SHA512 f90cd1c6635928ec76ae8659fd0076c89a1cce8ae6456e4c99696c455dab8195262abe239ea3c1c663070d2e3c5033e8c2ae4671785ae1dfa04b14372525d0aa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6c81bfd90f796a4d6670b3e424fa8732
SHA1 cbef3c07c6d4b9662fd41516677440e98b16fd9e
SHA256 750eb77e2fb152d0afddb18b3f29cbc14abaec0a7c8fd42e0fcbd7fa355d5a78
SHA512 36a8edcd9be622751c6bb4e6e7c022e2de6ea61ef7dde8b29b54fad7ba7f652e8d6be52648bbb68ede8ac158235fa587ac4a51a44fae959196c67eb1b3f347fa

memory/2960-1362-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3c142bb6bf3ec5b6a609ba3672885a48
SHA1 ebc898a1d5d20d6770bc031519ef3bac8aac0061
SHA256 207bf8dc72e1511c468799f34ef5e36aac475a1782b2f49db3b468f3d6a4da0a
SHA512 6c76620560b9511668ce77e961b279a50521405c557a03d4a69aab3aaaba5a7dbb2a9516b8b0ec25efe10bf63a8da4e8602b093c16247f3307eb74dd8bd0c5f3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3148ad0d03137c196cae4ed2ad5cb4ae
SHA1 29a5973c8f2aeb5151a298b9c884827a35e6f16b
SHA256 f15e52758cc859a12950129c9a8d06e22cabae747858cea7fe503e118e7bd58a
SHA512 2b517ff8f4faf0df3d13847c782d2b92a8b77bd90ac91a2c8d956f0583664bd8c1259606d5a78c43eeb3a2dfae8f189e9bf1c57f9beea2d392ff80f19be9e638

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 88e564c1f37ab8366abaffbaf3ba506e
SHA1 f83faa492972c04b01e9bf078b4b2060d62fae04
SHA256 3e81869d49f820152a4d2afbb566e687a0fe30e374aaa2a38cc3d133e0a215fc
SHA512 005ca4fb30766c341aca207aeda5cb5e285d1114d06e33ed3116d9d2f8527d2c85f71d9279ec695d0df017790a4479044fc40eaa3fc6035b0b9add3fe401ea3f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bae9341309b053713ff74bd5d8f21da5
SHA1 e7d51b60f27ae077665f273f0631e96368122bf6
SHA256 c26aaf41d5a2b596cd62a3ee3b60ec9991736e5f1928f8f79ac37b79680d96df
SHA512 00902900dfe0a09c87f100c6aba594c23f75741739dac2e0be9c7e365df6ae668ee4783a3bc86a2b7dc9b39fe8ad708be37948d107fa116657c196ab6a0d177f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 170306ffe9471f336ae93eb0680ed905
SHA1 02e3c0708fa4e9aebb733056494f71ed2ddfce39
SHA256 bedc68946e713b673d2a9de1a2be36288d781cf71e93bcda32abc0ae67e016fb
SHA512 94da64c858bfbafd55e9848f151bdd671607721662777a02cf1d09db70b4784c336f76d230afc7437ef03f377d69c768911bfe0fbbb91711c757a78b73ff57c8

memory/2960-1604-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 55760b19373537ef03c7ca17a92b35e3
SHA1 dddce0081d093a594730d78e92270a15ce447317
SHA256 6699c40348dc31aeff2bcff4c506338327eed8eb847220ef6c21e2e76fe97e9f
SHA512 3e11d0959e507e2e094ad1ff139f654fa623f5fd9ca4a66c43df4a971b2912c3f7c7a5a3897d06dca561b8b5a7a2ee64b33bc8e013e46f864d16b58f7881547a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6f78ac43e83044ea6362bf6d441dd7b6
SHA1 f92422c08e238a47c7668f1bd5372a36d3d402f1
SHA256 27d029cf40688621773bf2399206824238bb515dabb401d0bbe6848965f316f8
SHA512 5e609252a88c939df80d1f9b3c62376569473cb9edd44a7a6be509a3046d08cc5c949c42f705632b9efa25ff2d10a3964ffbe7af925a7d86417562f90d3e8d74

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 83a2e525223df0d614a4c28f5ccba5e7
SHA1 c8ea3f6254a9267a93d022e24ee7c8a2ceb3fddc
SHA256 6154f386b19aa5dfa007153a30c6050376dcc32facdf1e1de8cb1121b6eb2dc4
SHA512 c0df47c86beaa96499a6e9b4862e7c6ed56f5a91819aa124f3ff9b08e37838fe76175d481690c622e31b97dd1df1075a3041f51f1a1d96d4223f903edbac177e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a3b96158c21195ef581283e77fed7a12
SHA1 f0e92b544e92d3a83ffc6a3d0eb73f2f44f9858d
SHA256 a4d66f37ed4411375d3308c241dd7f6869d3e6f826ef50e54732fce605e8983d
SHA512 d5971ae5051829fc8222d8058d266abb47e98b381fcb82d729b779396d29b909ab089f1786f2692cb0bb4111ba111f552155546708aeb5966a927c076f50ca32

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 18f15eed6e4b2b66a7c982bcdb936229
SHA1 dfd6f3bc96e43bc08e1d29e22f7bafcad2e6a7f4
SHA256 1aae81749c4d2e54f4816ab8d9a951cfcba5882d07af1402b84c7148c3be8953
SHA512 49fda0861e3a6feac0c49a698776075bf4073070a74e4c876b3b224de2e44a492297a6d209f16590f19d3ef308481f86f7cb3c517ac24b94cebe866f32252886

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 be68813c3727504a248331834c44a356
SHA1 1af6d6534c5fe63a586b12f77de42a09258c294d
SHA256 4a55a40629a4b363feec73147e169ba01fe36e51f89c5397bcd71470c67d4e41
SHA512 4dcb6c2161511db596bf1dfdda11f78908df86f7deac210e1c55b3e65689f9e502485b2e7798fc5db5a448bda2c8910b005ffadcfd32050dee3dc803de2ed7aa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a15f4ec68e6d5dae207a60f4e30d0d56
SHA1 660c64689ce8c78038f28bb996148d4e2e1bddf4
SHA256 2cdd983b6558a01ddcb0ad7c7687c2bf80ca764b7b7c9765d35db197c0593126
SHA512 c278cdabc2942b7809710e91ceb67c8fcb9f65fbd95af0f7a9a1631c8397f5602fdc1260a56abca3aab6562deceb9351a96115fd7539583f162d1426be7ff73d

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 13:56

Reported

2024-03-11 14:01

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\iexplorer.exe" C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\iexplorer.exe" C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\iexplorer.exe Restart" C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\iexplorer.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\iexplorer.exe" C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\iexplorer.exe" C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\spynet\iexplorer.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\iexplorer.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\iexplorer.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\ C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\iexplorer.exe C:\Windows\SysWOW64\spynet\iexplorer.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\spynet\iexplorer.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe N/A
N/A N/A C:\Windows\SysWOW64\spynet\iexplorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 5056 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 5056 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 5056 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 5056 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 5056 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 5056 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 5056 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 5056 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 5056 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 5056 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 5056 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 5056 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE
PID 1864 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe

"C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe"

C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe

C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe

"C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe"

C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe

"C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe"

C:\Windows\SysWOW64\spynet\iexplorer.exe

"C:\Windows\system32\spynet\iexplorer.exe"

C:\Windows\SysWOW64\spynet\iexplorer.exe

C:\Windows\SysWOW64\spynet\iexplorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 532 -ip 532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.135.221.88.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 90.135.221.88.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1864-2-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1864-3-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1864-4-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1864-5-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1864-9-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4676-13-0x0000000000900000-0x0000000000901000-memory.dmp

memory/4676-14-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/1864-69-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4676-74-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 3a227c36e41ee0fdddb4245676374fda
SHA1 0d6150da0476f3d3b3f53b8146cde8464d13d52c
SHA256 83cbbeb798040c68346f46f8f80f058a6aef01adf65309239dbd46d2a3602228
SHA512 04dbbf5de36ce8875ab2e021577540bb4bedd2b1498a69a924315c4a0a6cf0f2b6c80dcc0646afa4f724ffa96bfdd620a1c34a528bc4b9ac31edcd2bd62f8219

C:\Windows\SysWOW64\spynet\iexplorer.exe

MD5 c0c225e9ae2c853eb7ed5b3349e04081
SHA1 abcb002a06b138ab79694bdd1da119c8430faa68
SHA256 045c99196c1bdd7c3c199365876db6b4df7bbb748d75e2af6adc798ea0b2e21f
SHA512 6183a975c33fdf4b3d6962982381424df9ca6dceddeb0695635e8fb677ff1536c06fbe46a8016e94489d3c3fe916c1a3aac08665220d770c685621e1063f5479

memory/1864-85-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3792-146-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/1864-147-0x0000000000400000-0x0000000000488000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe

MD5 85836e853dfd49a4d92ba5a851a0b2e8
SHA1 f4d66e1350ef8f17aa769d7b81adfb5b8e634793
SHA256 b399cba99301d54470ca657319517bc29b2b6c85487b0b4190da530d51160c6d
SHA512 aef8ed3268be8cf2985a5ea9c0b7a5d359225c00d6afef5d3fe6ddeaff1a1da357d4068a93fd76f86583ff7a53f469924a361f27b855fea4764354d3b5f94e09

memory/4976-178-0x0000000000400000-0x0000000000497000-memory.dmp

memory/4976-179-0x0000000000A00000-0x0000000000A01000-memory.dmp

memory/532-187-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4676-190-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f8fb48eba03a7719a243be0b18e4532b
SHA1 61954642e4389472d624dc212cf52b95fd1d5bed
SHA256 b7ff8e3b109e07a7d67c497542805f82e668e62b314374c53de43946d0386ef4
SHA512 5bb6c902ce29dfed6749e3d4a79657981643c843ebc019c65bdf7fed5aac31587821a758f272439c02e9505b39a5cd69cbfa6549d90d194e5b2df86e6ef136df

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9d58478d13fe98b09d6134b0fb159a11
SHA1 0548ebd12bcf44e519bdab1d02f0e4f3379cde91
SHA256 2218f9afd6c102dad8b32fc8c4d2d5d6950431905685634754015e4ea1845587
SHA512 de3889bacec19d7d5715c4d39eb007f5a97e1f9483d2d89c4d28de973826c05b24ea237014bac1198766353f1e172d040291d275e4a3ac4a31d513325c3f99f7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 43ee5f30873dcccc249acc4a7734f8a5
SHA1 56ee612d5b8089910a85b334b146cef5c5fc6637
SHA256 a58c4cd0d556cf3f9bdc158299196554f82679d4957023c37ba65ed4e2458fa0
SHA512 e4c10a460add1af114ba319b658c1b6482a44314a04404f7eb18de871d23d2c6e4333f49d0b17615002a6fc152cbafdbad67fcfc3f5ef4b5df28fe46e94f18e4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d3b3fc3298c406a73374c496d6ce1106
SHA1 fc949b67ebfda24699a17a5608332bcc60f1dcd8
SHA256 28bfd5e22e891b9bed983106fb3141c7590d6ac35bf1c848a13955deecf442ca
SHA512 1edc1d3986b60994d21b7b5ae18a6d84922c74a9baa8ab851f36c348c579cbb65586ef84a41be4be673de494a5eee4e2deb67ee5786686e07f5912c936d07fa3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ecf8c511ed99065f1862bce905315cc7
SHA1 f83e4336a6acdbdde88096d468bae40d5680a20a
SHA256 18345bd0cf10ca797d6856cf3108efd03c9d17654a1b6801537c5fad55a4a9b3
SHA512 9dacdcf3144f3d826b2c28770eae66b8d67f9f072f73c28ce12efe325932665e9a5898024fa9b25943806ca846efa1dc8555a638bb749ac5345c84a316d3ec3b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 779f59de86b73213e53a7bf187326a88
SHA1 0fa4cf466792349674f71a6149f902c4f6bcf676
SHA256 a3ee6fe3eb9ca866a5db229681bbd6edf81613dfd604c88655b63833910aab44
SHA512 7a40bd676b210eb297db367de25ed6f653c9dddbc0dbeba589e18d9212b9af5b560b2c8484e4d033085833aca10f28e3d4d0ebbd0acf0c0e30532552ae275d7f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 451e179ccca20c2b8440b54a4c478bdd
SHA1 b40f9e993170f0303bf5afa1b9af2cf404eb5a47
SHA256 2c04b274e0f1095cd77eb992f076d271c2b35e44893e2ed695b25c62dcdb2fff
SHA512 4bb781cdf4cc72f7766113eb91c88dac9126b0a55ee5ff79b9b91053a5bff4dbaed690cf782e76c52ae1fca91aa17e3cc0008d2c0bd099216bbb6e541b711006

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c356b82a2ef19a125c1f9f47cd862690
SHA1 29974fdfcd1e4aa1b08a3b1c3db3e32a5b8f9a43
SHA256 477089c95dd941328fbc59854203a02a63d95dae0992e8a4d3f3d74139f102a6
SHA512 525cd65bfe74d32398845fdf719174f9b7d169925c678b23a5981feff5e8c20611ff47167ffd736eeed71719044c4160af857a93da2d53ad69d2e0f8d23b41e0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 61b5b4a37c38f9a7603daa8bbb8a4661
SHA1 947ac1150cb148f196a603715234eb0eb6cc8615
SHA256 2c8c32b8f14e08b8d5899679193b7b80116837dae5b0e1d896674ee92826f250
SHA512 e15fb8c9b9a83503870a5c405bbbfec72c3ee10ac1f500b18a9d5a593fb0308f80b20d9e6fd20f9387cbf98e558cd275b75164556d54ea90a9e3dbe26c8f9692

memory/3792-945-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c6ec8ffc94ae433129996f0a30a62980
SHA1 5d370ce21f1611cf989ac091873ad499b89713d1
SHA256 2303fe61543cdceb7058b4a76caa3ea8dee68ccb8a41e9e92a854bd2e824de3a
SHA512 34c567795f5534103186a96fb0c18ccc245e8a4aef65601261dbdbb75f6233b881fa5a4a8f7349028ef6c1483d09c0382d3f6557dde2009444c7660c41516372

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6b7320b59983a7ad8efe4accdf56c413
SHA1 49ad051c801dc7d4beeecca9d3750f3b08d1c956
SHA256 3fe3596b97c54f139ed6407b97e4f94935582a59b1d2e2e79e2cecbfe4ec03d6
SHA512 4a930b0ca2b8f8672b39505293be1571878f88aff097ecd546a21a27f443f34555c1e5475381925c22476a2ae0f57639cc615c9585da201674d779da96b66cd4

memory/4976-1173-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ba3f865d83d26a077c2f7206edf72804
SHA1 3c49fbab3b3369beeb7e797daff958620bb36d5c
SHA256 96e1f10051dd9e0f0ff5be16c27ef63bbb0a403b6e158c6239090c6704f5f74c
SHA512 5af3e4d8abf4aece1810232d51b79ea1f11a72430f8d4c3c5ed5bda6bfd4cd67738178b281a64beff1bb7de98bc94e724f86e3714a2b7d478f46ad55daeb8ba8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c0159678b210e8dc2d29e100bdc9aa69
SHA1 6e9379136198ee8e8b270492f6ddd6fe13c09c2d
SHA256 e95b8d39dd875655db542a7f0d079e5b498660983dde867fb5c5e6ff16347eb0
SHA512 fe3f9f90485e9f95f9c516b4d47592363a858597cc460d7eedc20c5aeed34db6b566f238e88ffb4af0636b95e02410f7320dcf1681ab56868b12600077e19775

memory/4976-1407-0x0000000000A00000-0x0000000000A01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f75f1d0e21bea076832fe96e5c516440
SHA1 66990846bdae6facc20474804bffcb79856d5364
SHA256 04a08782378f215510432b4725ada3b3db649e1daeccd04d3e4942d86435f312
SHA512 8fd00cde23c2306169e42760094aa9b86fb6626253ec75c8bce59b3bc69b989f9cb3bd1d01b7b7532c7e56be5c9a681387f22fc4ca0e1c2e7c915db9e7f61328

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 896c7ff7a739bb5865e7ac9900dc7c37
SHA1 7662f88eab88358cf07d0dd76b3fbc532de0ccb2
SHA256 3eb337dca0f48f9257ea6fd42815e8f04193e22164f3467f90f42361558a2752
SHA512 dd4f151a54cf1204c9ad3cb222f04016c29fe039a5fa61ea90564d07de69ed488f6438879b6227e41ec71a0128c682f802abc0ca6061e1de4e6c2bc3f3d5bd3f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bcba3ca029d59046554b22c21e565090
SHA1 1416d069f9f2f30fc3523d6f334c6943e8d966e4
SHA256 db4ac5b8345c25ba8c7c79082cc2876a3f6c17e1864bb6b51c20662a2325e2dc
SHA512 f169c55642cceb92c74de83f7991ba0f4f86f95d5d1177c6aa04af0a7a40ad9ad7fc3363509b20d80dee26cdc5f7563a980af21ab7c1564bfc40b16076a241f3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fa866b1de89820471351480cec1bb5e2
SHA1 cc26f4c25ed300c3bafb36c79bc939f2ed9bd648
SHA256 fead11324714f90cc55209e987d890ce0b230a3e70b3820589a71790040ac7be
SHA512 bb446af2ff37c4c8c2220d89453b975d9621a4711c338d8e8b24b2d8abb06f4e12b44c33a5584f6b0c76deda1597873f71a1bd4da4cff415b1cf6431d6f093d8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fdaaeb8412e87f8ba8e66771ee76ac9a
SHA1 ef325c5bd23e9ba6354a206ca24146f3a983d0a3
SHA256 3d8b51bcc0d233119f61d5b0e8e864ffe80f3b34bb290df405ec972ae0788ad6
SHA512 e2c635b8c97602109898ea13d54149b2901aa90509fe2b8951b3383c84ba9c8607cc2ccc6803f13725499cbac518d6581d866fc12ad50692c63f2d33500a4767

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 55127b140b850f0e944b1ab53857a537
SHA1 503a47a86ccde136f237dc4ab2125972e8ce9020
SHA256 6c71006052d562635fb316118a24555e316eb42998713cbfb7697dd757d0ff21
SHA512 01fe31d31ebf594dc3181112c8112e923ec5dbfad9baadf56505408fbefd1c0c5922e07ef5e95aaf39106fb5f20917c2d1b128de377141653f47e96a8a15a5b9