Malware Analysis Report

2025-01-02 13:12

Sample ID 240316-nqrq6aab6y
Target cdf6aebe5de273b6f5d54ee844b3eaa8
SHA256 52ce9cc373bec4f16a17d1c84bfda66b22e245c186d03022da08170f83552582
Tags
cybergate cyber persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52ce9cc373bec4f16a17d1c84bfda66b22e245c186d03022da08170f83552582

Threat Level: Known bad

The file cdf6aebe5de273b6f5d54ee844b3eaa8 was found to be: Known bad.

Malicious Activity Summary

cybergate cyber persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 11:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 11:36

Reported

2024-03-16 11:38

Platform

win7-20231129-en

Max time kernel

146s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71} C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe
PID 2232 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe
PID 2232 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe
PID 2232 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe

"C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2232-2-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

memory/2232-3-0x0000000001F90000-0x0000000002010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe

MD5 0548c6a94dec06ff79fa14834deca881
SHA1 6035d95be9214b8fb5775b141a9b1156de851d9d
SHA256 433a6cc8a87a44d9ad6e789b6f9f496c2f699e2f0793314db04288ee739bd805
SHA512 33cbbb976cd035aa1ff409018c239738f78704bd6cb3fa896d39c859aa77917e200c8e772589c30031c2750f7b1e22220191cb4a9aadf91ddb4a3c854c1e8f88

memory/2232-9-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

memory/2232-10-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

memory/1336-15-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/560-260-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/560-262-0x0000000000140000-0x0000000000141000-memory.dmp

memory/560-544-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 288df3dc4f0a2beda544817d04404b7c
SHA1 29dd25aa1670c5664acab20b52b18d8a3c908316
SHA256 bdb1956a26d8780041f3cd374c6f3547254381295d4b4b98dfc0dff6766b04e3
SHA512 edfb32fe521c05cc0a15aa1f90c9f78392422278d0ed5a0d6372ff6f6748617813613eb564204adc46a74c4466d9582d200d3e2bb3208b88d41f6fae598828d2

memory/2456-843-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d74eb82d2904d64cc4e0f9ad3db51908
SHA1 c36a355a44c38729a77999be69e9b5377b091fb6
SHA256 eafbc3ed7625ec5d0989535ab1e848535046066d1749a2fd6f877e54d30ac1b1
SHA512 8c0b03dee906911c3817628955b67072d138391546c0add358105277740e69fd5a79381e7d0f94a64b7d5562be7ecf637ac7820492e4432990a88b634fdd2092

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5df452a65a59ec43e13befeb06b3428e
SHA1 cb23d6d09ccdfb3c76c672dd8a9c343d1dc9579d
SHA256 d9cd0c3ec3896f7d5171ee51c706bb0daa93567c190ea80ee6cc059df53d7f23
SHA512 4f670d754d71a2689757eb963aafe91a4599a5f7ba990ad65ba3f204de22e800d65f54068cba9e2cd6673acb2ce876e3a72f9a59366e82bc22ea61de1d0d95d7

memory/560-977-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6517c6a402bd64c59f7f8078aa9285ec
SHA1 a6457a6ddb1dedb176df661f61ea0435b0dd994f
SHA256 3350bffab58987bb57b92fa169444fb3400a67bc01d677a138788e552fb3f887
SHA512 8c301abfc24d14d2ea909c27e5ae577257bef03f41e39fb7d4798b66288ef4f3281c81d17e438765cf7a26debb3519f17366957c1f1759e5c1824a9d1d013d67

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3307de3b4557aab26420e6cfec874547
SHA1 896b7d57be0469ff99bacb78edf1527581dfd2a9
SHA256 dad50264d216f7c36b7e770460d6e918ad0ccd67c2df76888f7eabd6b054708b
SHA512 309abc99907154f45146ba73778742f2f7d63bb0dc73560330848d683e67f32dd191c70af897507c9ce23bc15690fc6e47945c2f5a4d39f7d6952279ec386e2f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ace64ca058e8e76a4b26cc846901dd51
SHA1 ed7c3b6a554050067d787358b802fa279451621c
SHA256 b6aa67f69bf8a78c9e9be7803878ff6a751b1ba7ce79a7145876ec58db4845e9
SHA512 4f3131f35b0408c586b6273eadcb3c5df98be9828185c48881b83e54152de954bff30e3139dd1ae412e409a321459aefc90d4e9c76b626b799aa105d88d3733b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bf449e1f35162e3cea145b56d4a8e4bf
SHA1 716c1208e1ec57db9b97a586d1d6993e9df2010f
SHA256 2cc04dee389f694f737fd03f4dc4f5f620d00a177dbd508a4b85a1d04fa8961a
SHA512 1db44b5390ee0d9a49f6febc39bd4e2402827351e2a19ae2b6428194334c887fafff84dd51a45b32db2632628942f837e5e0e027d4c875abaf63e3b9ccd8bf7e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a0029321b93febc10661f6392c1be251
SHA1 58448d6b952ad72886d4d72f9001690efb191676
SHA256 c3c30533266286e7401c57b440dd7ec213f607c7075135107ad6e1a696bb2a8e
SHA512 0481cff48e2c67eb07fc12b21a6956acafc57831298cba5d614d33520fe8dba352dfd6267f01e02761bc731f39ff0f3cfe89eb50b986dd7a49c51720fbad64c2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6de7a10ebf2f4fcbc344a025c1760e53
SHA1 64ce031d30c3c714374b8170dba6bb63cb32d22f
SHA256 9a0d0a3cdeb4a8079f78335c07fd0b0d84a00f5e1147b3fc71ad5ed817af4613
SHA512 e7159861f20cbafa4a8666d333d08bd1c45f41ff8f4567a3b0867b724e693a6572749e39bed3a4c5b961cf0c047863426848608907239c1ac644f2553d9c4a19

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8a28cc76e068c8fe33eb6e1a6c2bfd12
SHA1 5c50d12e767590c03852476842f767a4209be421
SHA256 658564a0ac67e7723b1b9ea73b9abdb0b618b4f2e85abb155c59897b299af215
SHA512 775033d248dbb026d8ac27a13e2a8f563ea0baa28efd0255d1e17b43fb50b0894d1dcddb08a53af97f87be0667799a71307a430b15df0ecc2c5b681e41ac9faf

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 61ae0a5752e11b618991bc8fdd7d4d4d
SHA1 2d7adf2fe4ce586f6b784ab574fecd5ddf7591c6
SHA256 df1e1a8c41102c701afcc0ce64f3039327c7b521363a361ef2029d8cf76e54b1
SHA512 19c3e2f6b660037c3079dbadd50e195a3e0d9ea97118d116b115a77be24a3f1628d9f09e0c232bb7df7c1117238ac415a3e28c3be69905e0420d3be2422930df

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f688940d0a48f0590cbdbb3b182f34ab
SHA1 e8d14523b43656ed3e150db46cf7194a989d84d0
SHA256 9220c6a9fa734bd29c32062d3f90c5c1667ab61b23cb806ed7b6f30e658b7f2a
SHA512 f3cfd799b84289c67c480b411c43d9e7d89d50e15ee7763f4c123334e6aa36f5b62d2db8e23d9b6b8f08f7fdbcd4bc8d853e9295efe0fc445e893a58b75203ef

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 068c64c174066f97153d64b6f7b4486d
SHA1 097032e794f3263d8523b04b037233506988ea00
SHA256 336f4ed09abc54ee126b539423ef2513ae9420aa7cf75ac10bb6bd11ddc95b85
SHA512 5d992eb65d4d29d7034952595b58fb88c0239895d0c990dbecdbe0a4de7e699b547f4a738130cce9fcd49f15729675318ea3c23a358e8d092cd6f96d05e190e9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0ed8e53b4ee0f50553400a525bb44c35
SHA1 747aa05f1a32afd74d7b0de147522c50b7c298db
SHA256 70b74c7c2bec38bb7d51762766f821df5884ed4165ef3ecbc613974ffa82a300
SHA512 97cf04ca102b44fa922d4d7feeb80e6f3d66fa3fa9712d0d29e3ad87158813c622068ed5142da9e881b327bdfae166b86425dcfc8d58ff8922ecdb494983f0a2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d8f3563177d270d60241baa23831c38b
SHA1 8e4ee0d5e675586fb143e639b3024dc76da88ea9
SHA256 4c627c5a600cddd46a773db7000ec001e881cc21c46ac59d978beb257b43fdd8
SHA512 ea307479ce06af32d47dbc95e1538bb4646819c4c50257a6fa84fe4eb037528ec0c7046b7578c4a6891c20a9b8a8e730e08327c5940780d679b62c30a3d55aaf

memory/2456-1776-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1f0af7ce9dc9c58728f7edc71c58c5d9
SHA1 3ec4c448e5328c468adef3568e7196b3a6d04b42
SHA256 949ce0435efb7afccad9212cf0f6f5e5711980a1c1f812b3e822a8eede725f79
SHA512 7eac2e6e13eab2a07fa65be3659af2243ac954fb5b64fb3e04629cc4e993f7f5143f29f47007520ad854293f72bf98d11306b7d0bbd327d22f23a5ad3ea51282

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3a9677dc6164c19892cb8a5085957a0e
SHA1 2c5cb806fb47d4705dee1df4dc1428e58f697686
SHA256 cefb049202c9db8cc62cc02bb20039d0d79afbf05df756712d5279286d8630cc
SHA512 7711fffade1a72ae3e9c32ac99e31c3b6b88b145eceb905f3a1cfaf9fd344dcd821cf52cdb126451316f311f64ec7bf2d8dbe7f2e5119970f164714c007dfbaf

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ce0e0e8d6ddbdfe4167f49bd76f00bcc
SHA1 19b9746b0539e0f8e2f8f3d347548dc58ed3eb82
SHA256 c477bb46236e1798d5d01a20c6d8da438c43688d5b1727cfeb661beeb254f72c
SHA512 9fa5373f66b5f418ec2d245dd0e678b51de7e63fe14db48354ad42ecbed5cb99f59356a8705145b584fa6ef2760f0dce0cdb526567b8fbbd1b7223f872d370b0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e6acd364066ff0de85a1e51d92ff688e
SHA1 4ceb0ea474f5e5f963e8c3469a4d1420a9160a5c
SHA256 5d6b4087b13e19fce33e079c63c8f4ce447c12509fec120c8109d7f8fe655e1b
SHA512 f82f6f661f55b822bf7791b5c29e62459e7611ca0e0abe927ed48b26ba775b7a9a49b8ce50c9a389e5fbe017c248dd2f84e1f4172d403b7a9572448bb5066746

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 11:36

Reported

2024-03-16 11:39

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71} C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WinDir\Svchost.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe
PID 4472 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe
PID 4472 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE
PID 4804 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe

"C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe"

C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 584

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/4472-0-0x000000001BC30000-0x000000001BCD6000-memory.dmp

memory/4472-1-0x00007FF9C7D20000-0x00007FF9C86C1000-memory.dmp

memory/4472-2-0x0000000001460000-0x0000000001470000-memory.dmp

memory/4472-4-0x00007FF9C7D20000-0x00007FF9C86C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe

MD5 0548c6a94dec06ff79fa14834deca881
SHA1 6035d95be9214b8fb5775b141a9b1156de851d9d
SHA256 433a6cc8a87a44d9ad6e789b6f9f496c2f699e2f0793314db04288ee739bd805
SHA512 33cbbb976cd035aa1ff409018c239738f78704bd6cb3fa896d39c859aa77917e200c8e772589c30031c2750f7b1e22220191cb4a9aadf91ddb4a3c854c1e8f88

memory/4472-13-0x00007FF9C7D20000-0x00007FF9C86C1000-memory.dmp

memory/4804-17-0x0000000010410000-0x0000000010475000-memory.dmp

memory/1996-21-0x0000000000F10000-0x0000000000F11000-memory.dmp

memory/1996-22-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

memory/4804-77-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/1996-80-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

memory/1996-81-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/1996-82-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 d2a8d47bc857439cfecd0ca8d4a1ff7e
SHA1 8076776b9354069adf5e6df834cdd08381555b19
SHA256 ee58257e1971df5c18732acf8f44c4bfce43ba987ed94a02ef30c2d56d2078ff
SHA512 ec9cef5ba0f9a977e6e9327c5dbad0f974047f18a6f99adf3479356399ad5e4d84f0f53273b0aa510696dad687c2fb2af38294f187ae1da20cbfd73854c0201f

memory/708-153-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6517c6a402bd64c59f7f8078aa9285ec
SHA1 a6457a6ddb1dedb176df661f61ea0435b0dd994f
SHA256 3350bffab58987bb57b92fa169444fb3400a67bc01d677a138788e552fb3f887
SHA512 8c301abfc24d14d2ea909c27e5ae577257bef03f41e39fb7d4798b66288ef4f3281c81d17e438765cf7a26debb3519f17366957c1f1759e5c1824a9d1d013d67

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3307de3b4557aab26420e6cfec874547
SHA1 896b7d57be0469ff99bacb78edf1527581dfd2a9
SHA256 dad50264d216f7c36b7e770460d6e918ad0ccd67c2df76888f7eabd6b054708b
SHA512 309abc99907154f45146ba73778742f2f7d63bb0dc73560330848d683e67f32dd191c70af897507c9ce23bc15690fc6e47945c2f5a4d39f7d6952279ec386e2f

memory/1996-312-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ace64ca058e8e76a4b26cc846901dd51
SHA1 ed7c3b6a554050067d787358b802fa279451621c
SHA256 b6aa67f69bf8a78c9e9be7803878ff6a751b1ba7ce79a7145876ec58db4845e9
SHA512 4f3131f35b0408c586b6273eadcb3c5df98be9828185c48881b83e54152de954bff30e3139dd1ae412e409a321459aefc90d4e9c76b626b799aa105d88d3733b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bf449e1f35162e3cea145b56d4a8e4bf
SHA1 716c1208e1ec57db9b97a586d1d6993e9df2010f
SHA256 2cc04dee389f694f737fd03f4dc4f5f620d00a177dbd508a4b85a1d04fa8961a
SHA512 1db44b5390ee0d9a49f6febc39bd4e2402827351e2a19ae2b6428194334c887fafff84dd51a45b32db2632628942f837e5e0e027d4c875abaf63e3b9ccd8bf7e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a0029321b93febc10661f6392c1be251
SHA1 58448d6b952ad72886d4d72f9001690efb191676
SHA256 c3c30533266286e7401c57b440dd7ec213f607c7075135107ad6e1a696bb2a8e
SHA512 0481cff48e2c67eb07fc12b21a6956acafc57831298cba5d614d33520fe8dba352dfd6267f01e02761bc731f39ff0f3cfe89eb50b986dd7a49c51720fbad64c2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6de7a10ebf2f4fcbc344a025c1760e53
SHA1 64ce031d30c3c714374b8170dba6bb63cb32d22f
SHA256 9a0d0a3cdeb4a8079f78335c07fd0b0d84a00f5e1147b3fc71ad5ed817af4613
SHA512 e7159861f20cbafa4a8666d333d08bd1c45f41ff8f4567a3b0867b724e693a6572749e39bed3a4c5b961cf0c047863426848608907239c1ac644f2553d9c4a19

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8a28cc76e068c8fe33eb6e1a6c2bfd12
SHA1 5c50d12e767590c03852476842f767a4209be421
SHA256 658564a0ac67e7723b1b9ea73b9abdb0b618b4f2e85abb155c59897b299af215
SHA512 775033d248dbb026d8ac27a13e2a8f563ea0baa28efd0255d1e17b43fb50b0894d1dcddb08a53af97f87be0667799a71307a430b15df0ecc2c5b681e41ac9faf

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 61ae0a5752e11b618991bc8fdd7d4d4d
SHA1 2d7adf2fe4ce586f6b784ab574fecd5ddf7591c6
SHA256 df1e1a8c41102c701afcc0ce64f3039327c7b521363a361ef2029d8cf76e54b1
SHA512 19c3e2f6b660037c3079dbadd50e195a3e0d9ea97118d116b115a77be24a3f1628d9f09e0c232bb7df7c1117238ac415a3e28c3be69905e0420d3be2422930df

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f688940d0a48f0590cbdbb3b182f34ab
SHA1 e8d14523b43656ed3e150db46cf7194a989d84d0
SHA256 9220c6a9fa734bd29c32062d3f90c5c1667ab61b23cb806ed7b6f30e658b7f2a
SHA512 f3cfd799b84289c67c480b411c43d9e7d89d50e15ee7763f4c123334e6aa36f5b62d2db8e23d9b6b8f08f7fdbcd4bc8d853e9295efe0fc445e893a58b75203ef

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 068c64c174066f97153d64b6f7b4486d
SHA1 097032e794f3263d8523b04b037233506988ea00
SHA256 336f4ed09abc54ee126b539423ef2513ae9420aa7cf75ac10bb6bd11ddc95b85
SHA512 5d992eb65d4d29d7034952595b58fb88c0239895d0c990dbecdbe0a4de7e699b547f4a738130cce9fcd49f15729675318ea3c23a358e8d092cd6f96d05e190e9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0ed8e53b4ee0f50553400a525bb44c35
SHA1 747aa05f1a32afd74d7b0de147522c50b7c298db
SHA256 70b74c7c2bec38bb7d51762766f821df5884ed4165ef3ecbc613974ffa82a300
SHA512 97cf04ca102b44fa922d4d7feeb80e6f3d66fa3fa9712d0d29e3ad87158813c622068ed5142da9e881b327bdfae166b86425dcfc8d58ff8922ecdb494983f0a2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d8f3563177d270d60241baa23831c38b
SHA1 8e4ee0d5e675586fb143e639b3024dc76da88ea9
SHA256 4c627c5a600cddd46a773db7000ec001e881cc21c46ac59d978beb257b43fdd8
SHA512 ea307479ce06af32d47dbc95e1538bb4646819c4c50257a6fa84fe4eb037528ec0c7046b7578c4a6891c20a9b8a8e730e08327c5940780d679b62c30a3d55aaf

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1f0af7ce9dc9c58728f7edc71c58c5d9
SHA1 3ec4c448e5328c468adef3568e7196b3a6d04b42
SHA256 949ce0435efb7afccad9212cf0f6f5e5711980a1c1f812b3e822a8eede725f79
SHA512 7eac2e6e13eab2a07fa65be3659af2243ac954fb5b64fb3e04629cc4e993f7f5143f29f47007520ad854293f72bf98d11306b7d0bbd327d22f23a5ad3ea51282

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3a9677dc6164c19892cb8a5085957a0e
SHA1 2c5cb806fb47d4705dee1df4dc1428e58f697686
SHA256 cefb049202c9db8cc62cc02bb20039d0d79afbf05df756712d5279286d8630cc
SHA512 7711fffade1a72ae3e9c32ac99e31c3b6b88b145eceb905f3a1cfaf9fd344dcd821cf52cdb126451316f311f64ec7bf2d8dbe7f2e5119970f164714c007dfbaf

memory/708-1445-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ce0e0e8d6ddbdfe4167f49bd76f00bcc
SHA1 19b9746b0539e0f8e2f8f3d347548dc58ed3eb82
SHA256 c477bb46236e1798d5d01a20c6d8da438c43688d5b1727cfeb661beeb254f72c
SHA512 9fa5373f66b5f418ec2d245dd0e678b51de7e63fe14db48354ad42ecbed5cb99f59356a8705145b584fa6ef2760f0dce0cdb526567b8fbbd1b7223f872d370b0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e6acd364066ff0de85a1e51d92ff688e
SHA1 4ceb0ea474f5e5f963e8c3469a4d1420a9160a5c
SHA256 5d6b4087b13e19fce33e079c63c8f4ce447c12509fec120c8109d7f8fe655e1b
SHA512 f82f6f661f55b822bf7791b5c29e62459e7611ca0e0abe927ed48b26ba775b7a9a49b8ce50c9a389e5fbe017c248dd2f84e1f4172d403b7a9572448bb5066746

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d3180481ad45b72c9bc1ac3a9ffe0878
SHA1 04223fe56ece927212c4f268c806add0c18efb7d
SHA256 76188a41b79e9f4edd46c661f0c5077cd3f3a4eac17b11e060be0a9144126b26
SHA512 bea6cc1199a5ba3f9560a8910438f20ecb1faaed30bd4887a094d14cda75f3359c615d897e72c95e56abadee7d759f3a1aecdba83a55d83573de75675e80e977

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ae6c60d0c54b40d7051d883be9feeee8
SHA1 658dc5fdbb1f131561e54af8d328c0b82318d2d0
SHA256 197cff60242c3d1b03add1313ec0ea4e661500b8ec8d3fcd88b10f308767ea8a
SHA512 3e044e1ae98444f1b54149e0465c836c307d863ce7e862829aba1046d19789b9f22bf130ac925244ad21ab5cdb468263f6b89509f820d7979ada096eabfc326c