Malware Analysis Report

2024-09-22 10:17

Sample ID 240327-dyerfsee8v
Target e0a5a7fe64828973524bb8c013a16a73
SHA256 1f1c4a1c68c30e8376d647f68671e53942933809b97c42ec5de3dd68eb9a4032
Tags
cybergate remote persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f1c4a1c68c30e8376d647f68671e53942933809b97c42ec5de3dd68eb9a4032

Threat Level: Known bad

The file e0a5a7fe64828973524bb8c013a16a73 was found to be: Known bad.

Malicious Activity Summary

cybergate remote persistence stealer trojan upx

CyberGate, Rebhip

Modifies Installed Components in the registry

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-27 03:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-27 03:24

Reported

2024-03-27 03:27

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe

"C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-27 03:24

Reported

2024-03-27 03:27

Platform

win7-20240221-en

Max time kernel

21s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\install\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe" C:\Windows\SysWOW64\install\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\install\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe" C:\Windows\SysWOW64\install\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13G8OTB2-16S0-2FFC-F862-RC5MXDA743XX} C:\Windows\SysWOW64\install\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13G8OTB2-16S0-2FFC-F862-RC5MXDA743XX}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe Restart" C:\Windows\SysWOW64\install\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13G8OTB2-16S0-2FFC-F862-RC5MXDA743XX} C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13G8OTB2-16S0-2FFC-F862-RC5MXDA743XX}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13G8OTB2-16S0-2FFC-F862-RC5MXDA743XX} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13G8OTB2-16S0-2FFC-F862-RC5MXDA743XX}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe" C:\Windows\SysWOW64\install\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe" C:\Windows\SysWOW64\install\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\svchost.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe N/A
File opened for modification C:\Windows\SysWOW64\install\svchost.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe N/A
File opened for modification C:\Windows\SysWOW64\install\svchost.exe C:\Windows\SysWOW64\install\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\install\svchost.exe C:\Windows\SysWOW64\install\svchost.exe N/A
File created C:\Windows\SysWOW64\install\svchost.exe C:\Windows\SysWOW64\install\svchost.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\install\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe N/A
N/A N/A C:\Windows\SysWOW64\install\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe

"C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe"

C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe

C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe

C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe

"C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe

"C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Users\Admin\AppData\Roaming\install\svchost.exe

"C:\Users\Admin\AppData\Roaming\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\system32\install\svchost.exe"

C:\Users\Admin\AppData\Roaming\install\svchost.exe

C:\Users\Admin\AppData\Roaming\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

C:\Windows\SysWOW64\install\svchost.exe

"C:\Windows\SysWOW64\install\svchost.exe"

C:\Users\Admin\AppData\Roaming\install\svchost.exe

"C:\Users\Admin\AppData\Roaming\install\svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 544

Network

Country Destination Domain Proto
US 8.8.8.8:53 bikini.no-ip.info udp

Files

memory/1688-2-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1688-4-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2472-7-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2472-8-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1688-9-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2472-11-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2472-12-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1248-16-0x0000000002250000-0x0000000002251000-memory.dmp

memory/2544-262-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2544-264-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2544-539-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 4ad4767ff511a1a756146c9e0928d1b3
SHA1 862365b80d60fde615d6ff843f58913062868295
SHA256 73d12892d2b037b979b0f46bea5f054f074e1f75f47fa7809b02fb737b0d5d37
SHA512 63ebd371647a6ce6dadefe5921de8d454f622c9b835385cdf01edb8ffb2498bcb9f744dad3a0b1680585a07a1c5becf71c3ab80300c4dd12a9e01cbdc68b4d82

C:\Windows\SysWOW64\install\svchost.exe

MD5 e0a5a7fe64828973524bb8c013a16a73
SHA1 65f06c75b3c425025f3279ba71d3a5b5e4ca49ec
SHA256 1f1c4a1c68c30e8376d647f68671e53942933809b97c42ec5de3dd68eb9a4032
SHA512 d71982a577e9d07d4512dd507a6547a833c027737ebee272811ced55f249adb02d2543bbf2bff3f203f475d8d0fb6859700f27f47ae01baf6061c16b57624375

memory/2472-555-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1984-574-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2244-575-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2544-627-0x0000000010480000-0x00000000104E5000-memory.dmp

\Windows\SysWOW64\install\svchost.exe

MD5 1d90aaad89b80a8a40c48afb944d6527
SHA1 d0ca8d4494a4116f60ba47c64ea4bd7cdf9aad4c
SHA256 3610577109dd492bcaca56739179a3c485e4a28b530a2048511c1629c5df590d
SHA512 99e32aaecc5e237dbb0e395cf6f879435350e88076fbcc71e305d3ae9bf7b92ed90dbce63843a1dd6abf6ab130fefa1c94f636d6d04cbfb43eb98502331698d7

C:\Windows\SysWOW64\install\svchost.exe

MD5 e88da70dc3de03d66fc2067d1c4ad475
SHA1 8eadf460f78de050b0c11b6741b506f5b85f4094
SHA256 eb329585394a8165b8ff7a601929d5ad0c798df1e8d6b618df475547e940fb72
SHA512 4a72a8ee5f6b4efe4297b9c9b9866a90537626130119d1cdb11391785f262654ae2557c39d58837489e122fd645a64630a9a29e14d144ed174413a08c339b443

\Windows\SysWOW64\install\svchost.exe

MD5 917d2722aca9df883722ed4c1194df6b
SHA1 6fda8adbdfd7c35dde5919056e5ae28ef57debdc
SHA256 aba126c9fb0eed3f52e967ca26c0d55421b0cbac16f79b79f4b32a2415d3ccd5
SHA512 49234d7a49c8e950a08a9dac52fdce3507b44280ca7270c6ff9bab766e88dedbb341d737e22c1410fb0b13a2d2a8f8f4feceeebe212286edb6680dfc70d46a45

memory/320-659-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2244-661-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2204-658-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 321c01a78d9d62aef7aee53579d8f930
SHA1 bf0f90b9e23299432b63864009b3d3b58857f4af
SHA256 6fd4e94c771bd438dffafa6e6446b91d54e16ef7e1c101dcb06a2c699d60b5b7
SHA512 2e2074f52a51c3d4ae96f8bd8987428aec5ad550162776239babd3c1e303af66692f6f0c153b448dc502a5d425beafef28e2e40034d98d87ece32cb69ffc2598

C:\Windows\SysWOW64\install\svchost.exe

MD5 bbbe9da50ddbb3b02edfa68ba73e3314
SHA1 650f9990fff843efb50f09a1d1fb4231b6a44929
SHA256 2294588818d608f4a34aaa7a69ac3d76bd221283801adca2a46d036436f879fc
SHA512 76bad68ea4d79071c68631168f7d8488689da9d6b79c9679785e09e6e4dddf902c0cb53f5ff02c78cadba7e8e41bb4a8f3f996cb0316cc0f3ae37d7638624134

memory/2204-808-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1740-826-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1880-833-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 0a39d636d26553ef3662a0e046167a9d
SHA1 5e0b1d3d1baf16d7fd6cb2d7494ccdfade16fd97
SHA256 4b196193f1ebfb7b0229e136b67f21c011a065e50e2681e00b86d2cc612b8dae
SHA512 507dbb40061fd80b20bbf0c439ec5c2d82833ef25b76c8cda3434c845435b75f751903f341f8bf0ebd1f2e40509283c4877d1d75d89328642ac578acba09c7bd

memory/748-924-0x0000000000400000-0x0000000000451000-memory.dmp

memory/964-925-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1740-962-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2620-1050-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2364-1056-0x0000000000400000-0x0000000000407000-memory.dmp

memory/748-1059-0x0000000000400000-0x0000000000451000-memory.dmp

memory/960-1164-0x0000000000400000-0x0000000000407000-memory.dmp

memory/552-1180-0x0000000000400000-0x0000000000451000-memory.dmp

memory/960-1189-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2264-1301-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Windows\SysWOW64\install\svchost.exe

MD5 d7b2ae95b026cee6cffa049e95a5c83d
SHA1 060578b2c62f155f6b8e58ffda0a075135fbccc6
SHA256 0994d08abb3c7d10e9f173ef56c42cae9a6ea68fe7635bbb9612c345e557a89c
SHA512 a6140e57ade2f6f05b19958d19306fdba13b6d36623d3806a43f5ca7f2a062f38dd26d45b2e9e2e3feda666f0631b39ef41db88ee818f61b1d4606cd30d4af28

memory/560-1446-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1668-1608-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1680-1961-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2324-2049-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2012-2141-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1740-2263-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/1672-2453-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2072-2528-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1000-2520-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1520-2518-0x0000000000400000-0x0000000000407000-memory.dmp

memory/552-2913-0x0000000000400000-0x0000000000451000-memory.dmp