Malware Analysis Report

2025-01-02 13:08

Sample ID 240317-kv65vsag58
Target d075bedece11df60534e70661c0bb2dc
SHA256 d070323a64019d049690e2c6dc75e135401d54eb11b674cdd429337dbccb013c
Tags
cybergate zatootaringa persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d070323a64019d049690e2c6dc75e135401d54eb11b674cdd429337dbccb013c

Threat Level: Known bad

The file d075bedece11df60534e70661c0bb2dc was found to be: Known bad.

Malicious Activity Summary

cybergate zatootaringa persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 08:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 08:56

Reported

2024-03-17 08:58

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\SR925\\sr925.exe" C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\SR925\\sr925.exe" C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{H7XOV351-BE01-2B2L-755X-8K5S66G6UD81} C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H7XOV351-BE01-2B2L-755X-8K5S66G6UD81}\StubPath = "C:\\Windows\\system32\\SR925\\sr925.exe Restart" C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{H7XOV351-BE01-2B2L-755X-8K5S66G6UD81} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H7XOV351-BE01-2B2L-755X-8K5S66G6UD81}\StubPath = "C:\\Windows\\system32\\SR925\\sr925.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SR925\sr925.exe N/A
N/A N/A C:\Windows\SysWOW64\SR925\sr925.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\SR925\\sr925.exe" C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\SR925\\sr925.exe" C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SR925\sr925.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
File opened for modification C:\Windows\SysWOW64\SR925\sr925.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
File opened for modification C:\Windows\SysWOW64\SR925\sr925.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
File opened for modification C:\Windows\SysWOW64\SR925\ C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
File opened for modification C:\Windows\SysWOW64\SR925\sr925.exe C:\Windows\SysWOW64\SR925\sr925.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 696 set thread context of 3448 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 3012 set thread context of 1252 N/A C:\Windows\SysWOW64\SR925\sr925.exe C:\Windows\SysWOW64\SR925\sr925.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\SR925\sr925.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 696 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 696 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 696 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 696 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 696 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 696 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 696 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 696 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 3448 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe

"C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe"

C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe

"C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe"

C:\Windows\SysWOW64\SR925\sr925.exe

"C:\Windows\system32\SR925\sr925.exe"

C:\Windows\SysWOW64\SR925\sr925.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1252 -ip 1252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 572

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/696-0-0x0000000000400000-0x000000000040D000-memory.dmp

memory/3448-3-0x0000000000400000-0x000000000045D000-memory.dmp

memory/696-6-0x0000000000400000-0x000000000040D000-memory.dmp

memory/3448-5-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3448-8-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3448-12-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1212-16-0x0000000000740000-0x0000000000741000-memory.dmp

memory/1212-17-0x0000000000A00000-0x0000000000A01000-memory.dmp

memory/3448-72-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1212-77-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 789e04a911cadecd74c234b86251a072
SHA1 ecbc4a73577a55cffd43963d1039849c5ed31802
SHA256 14f45c81af6963ff6f459b9d653695d5b9c7368ce805606d40c3fcd2fef5fc9d
SHA512 405a753d5b930ab523bb86e38b2033ba9d42325b78926281d2e041ea57e2e8806a884d53736caea3da6fa47086891d2d773ba13f9d5a63449fd09abf8fe2768b

C:\Windows\SysWOW64\SR925\sr925.exe

MD5 d075bedece11df60534e70661c0bb2dc
SHA1 a6ae68e5017749f4a88f8dc1810a7da63d6df441
SHA256 d070323a64019d049690e2c6dc75e135401d54eb11b674cdd429337dbccb013c
SHA512 f651ec9b516dc431a52c22668d99a962930e8b2c7cef4c9b876ada90f4ec77656defcb19ad1bcbad7709bfab6b2a4643e4d270f852cf71e62ec01ff70deea760

memory/2452-87-0x0000000000400000-0x000000000040D000-memory.dmp

memory/3448-150-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2452-149-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/3012-175-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1252-179-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1252-182-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1212-184-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 009caada8704a7dbfd0eef9198a21369
SHA1 563bd02d85ffbfc99a9a1b5339f0c71131fc4cd4
SHA256 e81071f2147e59673dfdbf26bfac0fda11c358736f7af3d913b70db1ee333f4a
SHA512 77419aa4a5a8b093d852440389f993e65d939b9562814711633817a29636eb774fc7df73f578ceed4713a7517e0a8c2e05f991e04b5e00af5fe3d99b846c2c2b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 80d5e6f9f6764fa9a5e61a7d34fcd4cd
SHA1 9cad1b92368a3f338506312227500e0d6d5ca3fa
SHA256 4ea634c6f0007881303112d7dc704af65bd22f4f936fb3b2ed5ce523eb4aad9a
SHA512 957b6465aa2e4b1177371116fcf399b7a471508a75468601a0d7b69429c86849d968940e9b57475883d9d50b8f1ac9dc481821ebd73486a866d37da93152fe46

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3a5291e8deb7548315068c44a1ba058c
SHA1 77548988d38923145f5fdba707e4b6fc9c55f0c5
SHA256 ef66b3646808ec736f035e85394b10ad9b4dc8e925b626250dbc2240c4c4538e
SHA512 614673df4b51a405722a1efbe1d556ae41b4a0ccd07a57747d948705c2eca525fd351de93425e6a184fe6b71c4353f4f0778477fb335e89283697d5bebfa43f4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3cd57b50f4440eb2f78ba9d3e49203a3
SHA1 b13c83a4de6ff0d58913a91d6093f43a93bfe22a
SHA256 5ad27759934992abbcad1810c3fe47f46360cf8cd72f515b2e4101e55a6b2c63
SHA512 69a64a86d4a523b642ce5800ac9a2cae74beb13d4e30bcc7ed5fa16bab1f8cdd2a502de151601da1e95aac748eb9a6fc4b23604fe170f7d76871fc9589ba96a8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e048aefdba878fc19ae17eb6c7288183
SHA1 8f679a47dadd0d5b00c0379f6691b3069553801c
SHA256 711243d8c4fcfe31c7cc8576e6355030061456bb0820d1bad520a6f097dcfeb3
SHA512 81b78bba6d3d71ef60d002e956b0e8eeec1f5d1e348640e1d649952c115f43452211949d72fe5465fe31442a52e2f3cece3b3f127d75455488a3f522439436af

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ef8d8667c3e7720c87b191316d79fe09
SHA1 37b290bb488785f859f89fca4de47e613a9c8fed
SHA256 fddcea0c74647d0628680735179067d6d2c484c01ec4773b9dda243990142063
SHA512 072a6b02f5bfac33a7d3ac951dad253a8da71619419150aa4824607d26915131ae0607650bb116c4b5426ed1ecdcbfe49e0ff2cc45a72d04f877bc1bf2898865

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cf158e6986bc19eccad81cc5123f5dcf
SHA1 ed6bec820770f04030b9ae35f8118e5715d4e0fa
SHA256 22e9d5d566021fc65a310b66744281e32e703c0fa2c598845570b7e8d5ca1dbb
SHA512 dcd3c65303f6c05c06600c239285421c3a28c56e55508f8a2681ace1ce0d0406d7d97bda696a145f720eedaade79f0d2df9032dd299b4492108b22abc2bf5959

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 11f7c108fe57b1c3a3396c3fdc50b735
SHA1 3f0d929becf3097e3bc03d362684c5ba34e155a1
SHA256 9a13aceace9c89ed900f6a69f3645b296d67542bc07359bb415263a078779204
SHA512 cc47f9c7ff0a753b99ed5fed57692fa012c89757b214edfc32ccd13cd7322ab2114b1e45c294af757145241e75ae9b935b03bd43adfbac2b40b22461c8c4398a

memory/2452-872-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0a57782547d06a426983345fdd85b18a
SHA1 1384290fdb63ce0396524b58bbf69cf857c701c1
SHA256 72360ac1762e69b41377c3758a1cee00317a3fe9fb795bbfe55074dfc663be19
SHA512 321257e83fa3b4543ea1d964b440e289669c586249b7b0d69f749b81ed6721f2900052e0cb0ae789b3e4e3af693600f3107d508b81b016b5711bf5ecdd65ca83

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bb7fa961c34ff3a1d7596d91cb9b56d9
SHA1 691848bd8f087da54f5f96f5cdb1648acc699990
SHA256 e63e991742ce053374f970eedb7d940f3d33fdcec90e5f16d79ed636b643757f
SHA512 9c275925cbf299d9bdc43a1f438667ed577db6676744c9a61d55f6b1941cf077bbed45338283f2a9e00a0643d57203367cdcb9d9b6d9e120762032bdc17157c1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 751c7fcc009c7d2a28251b3b6fe16f5f
SHA1 c03fa420a5196c473919389d87d4fe63090069a5
SHA256 d386fbc3681ecdb720887a8e4fa1e793b149f8acb0e42231d5b3c58a123828ea
SHA512 d22f2458ec3ec71e92a84ad31de9883182351bc7f7be32b7eaf0b598af729df151f2d8ad16b96e28bcbd474cdf787d0127d96f5b8999614239b16075428b3d8d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2f423e52f1528163402e3f111a3479d8
SHA1 fd1d60caa541f039b4a7c05f33167ae02b97f63d
SHA256 0e13a59ecd0ec08f0df8067609f6f80125732cd8912454e77d38f511a8032b46
SHA512 fd821b9a8a7022b52d233349a118f1941da2841222ceb29f253110a1293a3768d64128bd5e1928bd9814be27e380785c692b49dcfff0a4731c0712712b1e45ac

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3c6155644d534a7b8898970eabb5dcd7
SHA1 7e33fa17310533cc41951ec3c540db9c3dc18c8b
SHA256 4ebde24a251a8b49e867779e3442ec798dd06c0c2f076574e229beda0790854e
SHA512 5ad2041592df62b3709cae411cfc612be577325b2de3c9a9b6a0f6402aa565a2febadb1e87e23f2cf50ed13dc9a2943aeb7c595cde1b8e807225237a9c0e1512

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fc51120a185c2a90a768d0737862b954
SHA1 5f77bc480ccd2b89619119e1f7fa4f4348049e1c
SHA256 a36894c7e901bdd1f3ad9090d87fd247fe9808d1de9c5f4ddca2dd32ea70bf73
SHA512 2c37f38eea5a9677395c81d993bbf36eb21a344b716242e5cfb799e3d2183137017cc0b13aedfe7d547747ed3edbf575c7bc12ac9d8bd265a5ab34591b559e04

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 09e2104e7e172db426151cfcff4965ff
SHA1 fadd4257884d897dbdbc1bf8b7681366e51e909b
SHA256 1e457815efa6e8f35ce843e6e0c0020980b0c5fee6f8d7d09a6de9b270ffde59
SHA512 3fed81b55fa836796de2e3da5ded59bf66f4c03104673547d06969365cf75a6ce68da2cd9fffb4f145b8dfa8327341eead40e896440388c7c94a6bc6d75e4311

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b1403a16ff5044d00f02546c8b87c410
SHA1 96f3234b1aad654d491d45f3fbd9e6848ecf0d4f
SHA256 9213446ccc754a645a4b2fc6652bf61c2d3b9996bd3e7b998341245a735ae21e
SHA512 4002b2f4e12c98d4fa2eb10e8b8d66b36cbf0cff2485a413d079fd6eaa41031e98288fce632fd0477c6c6dc0c348ab2a6cdc86c188423ec19381cb1e586b88fb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 646308d47709448f9529cde69c4e72cc
SHA1 735f5b14e50011c3dc799be09a6ea33685ecb57d
SHA256 5e8c0b5239e938ff0381da41bc6b9c14ab2bc608d1abae31f0bf17d87d4e79ec
SHA512 6a0195746c1a252c5abca800ceb5ec040ff8d3e21e25dba6b153b7ce6586c923e952ac2f65cf0722b589dc2c553e5b1209ce08ebdf51572f276c6b79e31e6624

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 364c2ad413ebea3fe463633ec60249b4
SHA1 49b71fce99e4eabec634b577a69971486ee69049
SHA256 ccb7b5c5457215881cfb2bdb88fe60e4af5c422d3d54d422e69f8ecf27c89c7b
SHA512 5cce7ec5dd83fef2e1f4ccdc180f0f18eefcbdef8d7dc8edfc1a1d6afdcb6ab18d39ea7682da52a182488c82f3de9835d73c1626c65477661f5a93f9e206b4bc

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 08:56

Reported

2024-03-17 08:58

Platform

win7-20240221-en

Max time kernel

141s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\SR925\\sr925.exe" C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\SR925\\sr925.exe" C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{H7XOV351-BE01-2B2L-755X-8K5S66G6UD81} C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H7XOV351-BE01-2B2L-755X-8K5S66G6UD81}\StubPath = "C:\\Windows\\system32\\SR925\\sr925.exe Restart" C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\SR925\\sr925.exe" C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\SR925\\sr925.exe" C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SR925\sr925.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A
File opened for modification C:\Windows\SysWOW64\SR925\sr925.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2868 set thread context of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 2868 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 2868 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 2868 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 2868 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 2868 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 2868 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 2868 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE
PID 1704 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe

"C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe"

C:\Users\Admin\AppData\Local\Temp\d075bedece11df60534e70661c0bb2dc.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

N/A

Files

memory/2868-0-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2868-4-0x00000000005A0000-0x00000000005AD000-memory.dmp

memory/1704-3-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1704-6-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1704-7-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1704-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1704-10-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2868-12-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1704-13-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1704-15-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1704-14-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1220-19-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/2228-262-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2228-264-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1704-531-0x0000000000400000-0x000000000045D000-memory.dmp