cybergate | 918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59

Analysis

max time kernel
150s
max time network
114s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe
Size

1.3MB
MD5

5b4676c83b81c115e4213863027a8cd8
SHA1

c6ce3d2675c4fb5e160976ed0c1ee0ac7fdfda15
SHA256

918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59
SHA512

5799829fe0fc921fa91f93573d5ddfb155ab04541260a3b864e9cc68dc6512c1fe348f844cac6db09e5666efcb540efb1a3f65d93677aedbade888196d87261d
SSDEEP

24576:PHwF8vrx52t07FQaWZ1xuVVjfFoynPaVBUR8f+kN10EBCvzR:PQF8vrYaKamQDgok30/bR

Score

10^/10

cybergate darkcomet guest16 remote evasion persistence rat stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

big_hacker.no-ip.biz:76

Mutex

DC_MUTEX-6MQJ6G6

Attributes

InstallPath
SYS32\sys32.exe
gencode
V9HSzMovyRBL
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

miecrosoft.servehttp.com:81

bighacker.no-ip.biz:99

Mutex

BD8K6YUOG4TT2Q

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
nividia
install_file
nividia
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

fierfox.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\SYS32\\sys32.exe"	fierfox.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

sys32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	sys32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	sys32.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	sys32.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

sys32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" sys32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	sys32.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sys32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sys32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sys32.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

sys32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sys32.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 5 IoCs

Processes:

vbscrypter.exeWindowsAppl.exefierfox.exechrome.exesys32.exe

pid process

896 vbscrypter.exe
320 WindowsAppl.exe
1764 fierfox.exe
1360 chrome.exe
432 sys32.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

868 attrib.exe
1680 attrib.exe

pid	process
896	vbscrypter.exe
320	WindowsAppl.exe
1764	fierfox.exe
1360	chrome.exe
432	sys32.exe

pid	process
868	attrib.exe
1680	attrib.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1360-95-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1360-104-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/1460-109-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/1460-112-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/1360-117-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral1/memory/560-122-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral1/memory/560-123-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral1/memory/560-124-0x00000000104F0000-0x0000000010560000-memory.dmp	upx

Loads dropped DLL 9 IoCs

Processes:

918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exeWindowsAppl.exefierfox.exe

pid	process
1304	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe
1304	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe
1304	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe
320	WindowsAppl.exe
320	WindowsAppl.exe
320	WindowsAppl.exe
320	WindowsAppl.exe
1764	fierfox.exe
1764	fierfox.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sys32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sys32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sys32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fierfox.exesys32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\SYS32\\sys32.exe"	fierfox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\SYS32\\sys32.exe"	sys32.exe

Drops file in System32 directory 3 IoCs

Processes:

fierfox.exe

description	ioc	process
File created	C:\Windows\SysWOW64\SYS32\sys32.exe	fierfox.exe
File opened for modification	C:\Windows\SysWOW64\SYS32\sys32.exe	fierfox.exe
File opened for modification	C:\Windows\SysWOW64\SYS32\	fierfox.exe

Drops file in Windows directory 4 IoCs

Processes:

chrome.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\nividia\nividia	chrome.exe
File opened for modification	C:\Windows\nividia\nividia	explorer.exe
File opened for modification	C:\Windows\nividia\	explorer.exe
File created	C:\Windows\nividia\nividia	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

chrome.exe

pid process

1360 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sys32.exe

pid process

432 sys32.exe

pid	process
1360	chrome.exe

pid	process
432	sys32.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

fierfox.exesys32.exeexplorer.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1764	fierfox.exe
Token: SeSecurityPrivilege	1764	fierfox.exe
Token: SeTakeOwnershipPrivilege	1764	fierfox.exe
Token: SeLoadDriverPrivilege	1764	fierfox.exe
Token: SeSystemProfilePrivilege	1764	fierfox.exe
Token: SeSystemtimePrivilege	1764	fierfox.exe
Token: SeProfSingleProcessPrivilege	1764	fierfox.exe
Token: SeIncBasePriorityPrivilege	1764	fierfox.exe
Token: SeCreatePagefilePrivilege	1764	fierfox.exe
Token: SeBackupPrivilege	1764	fierfox.exe
Token: SeRestorePrivilege	1764	fierfox.exe
Token: SeShutdownPrivilege	1764	fierfox.exe
Token: SeDebugPrivilege	1764	fierfox.exe
Token: SeSystemEnvironmentPrivilege	1764	fierfox.exe
Token: SeChangeNotifyPrivilege	1764	fierfox.exe
Token: SeRemoteShutdownPrivilege	1764	fierfox.exe
Token: SeUndockPrivilege	1764	fierfox.exe
Token: SeManageVolumePrivilege	1764	fierfox.exe
Token: SeImpersonatePrivilege	1764	fierfox.exe
Token: SeCreateGlobalPrivilege	1764	fierfox.exe
Token: 33	1764	fierfox.exe
Token: 34	1764	fierfox.exe
Token: 35	1764	fierfox.exe
Token: SeIncreaseQuotaPrivilege	432	sys32.exe
Token: SeSecurityPrivilege	432	sys32.exe
Token: SeTakeOwnershipPrivilege	432	sys32.exe
Token: SeLoadDriverPrivilege	432	sys32.exe
Token: SeSystemProfilePrivilege	432	sys32.exe
Token: SeSystemtimePrivilege	432	sys32.exe
Token: SeProfSingleProcessPrivilege	432	sys32.exe
Token: SeIncBasePriorityPrivilege	432	sys32.exe
Token: SeCreatePagefilePrivilege	432	sys32.exe
Token: SeBackupPrivilege	432	sys32.exe
Token: SeRestorePrivilege	432	sys32.exe
Token: SeShutdownPrivilege	432	sys32.exe
Token: SeDebugPrivilege	432	sys32.exe
Token: SeSystemEnvironmentPrivilege	432	sys32.exe
Token: SeChangeNotifyPrivilege	432	sys32.exe
Token: SeRemoteShutdownPrivilege	432	sys32.exe
Token: SeUndockPrivilege	432	sys32.exe
Token: SeManageVolumePrivilege	432	sys32.exe
Token: SeImpersonatePrivilege	432	sys32.exe
Token: SeCreateGlobalPrivilege	432	sys32.exe
Token: 33	432	sys32.exe
Token: 34	432	sys32.exe
Token: 35	432	sys32.exe
Token: SeDebugPrivilege	560	explorer.exe
Token: SeDebugPrivilege	560	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

chrome.exe

pid process

1360 chrome.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbscrypter.exesys32.exe

pid process

896 vbscrypter.exe
432 sys32.exe

pid	process
1360	chrome.exe

pid	process
896	vbscrypter.exe
432	sys32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exeWindowsAppl.exefierfox.execmd.execmd.exesys32.exe

description	pid	process	target process
PID 1304 wrote to memory of 896	1304	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	vbscrypter.exe
PID 1304 wrote to memory of 896	1304	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	vbscrypter.exe
PID 1304 wrote to memory of 896	1304	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	vbscrypter.exe
PID 1304 wrote to memory of 896	1304	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	vbscrypter.exe
PID 1304 wrote to memory of 320	1304	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	WindowsAppl.exe
PID 1304 wrote to memory of 320	1304	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	WindowsAppl.exe
PID 1304 wrote to memory of 320	1304	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	WindowsAppl.exe
PID 1304 wrote to memory of 320	1304	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	WindowsAppl.exe
PID 320 wrote to memory of 1764	320	WindowsAppl.exe	fierfox.exe
PID 320 wrote to memory of 1764	320	WindowsAppl.exe	fierfox.exe
PID 320 wrote to memory of 1764	320	WindowsAppl.exe	fierfox.exe
PID 320 wrote to memory of 1764	320	WindowsAppl.exe	fierfox.exe
PID 320 wrote to memory of 1360	320	WindowsAppl.exe	chrome.exe
PID 320 wrote to memory of 1360	320	WindowsAppl.exe	chrome.exe
PID 320 wrote to memory of 1360	320	WindowsAppl.exe	chrome.exe
PID 320 wrote to memory of 1360	320	WindowsAppl.exe	chrome.exe
PID 1764 wrote to memory of 540	1764	fierfox.exe	cmd.exe
PID 1764 wrote to memory of 540	1764	fierfox.exe	cmd.exe
PID 1764 wrote to memory of 540	1764	fierfox.exe	cmd.exe
PID 1764 wrote to memory of 540	1764	fierfox.exe	cmd.exe
PID 1764 wrote to memory of 1960	1764	fierfox.exe	cmd.exe
PID 1764 wrote to memory of 1960	1764	fierfox.exe	cmd.exe
PID 1764 wrote to memory of 1960	1764	fierfox.exe	cmd.exe
PID 1764 wrote to memory of 1960	1764	fierfox.exe	cmd.exe
PID 540 wrote to memory of 868	540	cmd.exe	attrib.exe
PID 540 wrote to memory of 868	540	cmd.exe	attrib.exe
PID 540 wrote to memory of 868	540	cmd.exe	attrib.exe
PID 540 wrote to memory of 868	540	cmd.exe	attrib.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1764 wrote to memory of 664	1764	fierfox.exe	notepad.exe
PID 1960 wrote to memory of 1680	1960	cmd.exe	attrib.exe
PID 1960 wrote to memory of 1680	1960	cmd.exe	attrib.exe
PID 1960 wrote to memory of 1680	1960	cmd.exe	attrib.exe
PID 1960 wrote to memory of 1680	1960	cmd.exe	attrib.exe
PID 1764 wrote to memory of 432	1764	fierfox.exe	sys32.exe
PID 1764 wrote to memory of 432	1764	fierfox.exe	sys32.exe
PID 1764 wrote to memory of 432	1764	fierfox.exe	sys32.exe
PID 1764 wrote to memory of 432	1764	fierfox.exe	sys32.exe
PID 432 wrote to memory of 1924	432	sys32.exe	notepad.exe
PID 432 wrote to memory of 1924	432	sys32.exe	notepad.exe
PID 432 wrote to memory of 1924	432	sys32.exe	notepad.exe
PID 432 wrote to memory of 1924	432	sys32.exe	notepad.exe
PID 432 wrote to memory of 1924	432	sys32.exe	notepad.exe
PID 432 wrote to memory of 1924	432	sys32.exe	notepad.exe
PID 432 wrote to memory of 1924	432	sys32.exe	notepad.exe
PID 432 wrote to memory of 1924	432	sys32.exe	notepad.exe
PID 432 wrote to memory of 1924	432	sys32.exe	notepad.exe
PID 432 wrote to memory of 1924	432	sys32.exe	notepad.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

sys32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	sys32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	sys32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	sys32.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

868 attrib.exe
1680 attrib.exe

pid	process
868	attrib.exe
1680	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe
"C:\Users\Admin\AppData\Local\Temp\918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\vbscrypter.exe
"C:\Users\Admin\AppData\Local\Temp\vbscrypter.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:896

C:\Users\Admin\AppData\Local\Temp\WindowsAppl.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsAppl.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Local\Temp\fierfox.exe
"C:\Users\Admin\AppData\Local\Temp\fierfox.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\fierfox.exe" +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\fierfox.exe" +s +h
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1680

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:664

C:\Windows\SysWOW64\SYS32\sys32.exe
"C:\Windows\system32\SYS32\sys32.exe"
5⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:432

C:\Windows\SysWOW64\notepad.exe
notepad
6⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1360

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
PID:1460

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
385KB

MD5
03d55ecd6eb57a1de0d261ab7ee41460

SHA1
eeb888ef8ef6800415cbb302256c99610e56300d

SHA256
5aa449ee4c92b0312d3bd089972221eac72494a3e3573f70b979ef8cae1709fc

SHA512
0d8bae16676154d53064154bc9d8328f87c8681cd68fe9944bb240675ad32a079b8d061860a22f497a4c0536e5a7baaec68de299e013397d7da6e49ae945a52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsAppl.exe

Filesize
1.2MB

MD5
ec2436cd141afa1fb1a976b12d98a17c

SHA1
eeda63b952abf0ff06199d56f6ca36c240672eaf

SHA256
d4253b5d58810e94776eb97a578fd08f93e3460bd46e0f2989cc547a7a2fa438

SHA512
8b500deb12ed76ca69725de19dccb822a2456ab18f5e6b5b50ea2f0a0a32ec5429b3345845a81bdb7b88e2e6c66cf8826c8d521139173900eb4234228fda0991

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsAppl.exe

Filesize
1.2MB

MD5
ec2436cd141afa1fb1a976b12d98a17c

SHA1
eeda63b952abf0ff06199d56f6ca36c240672eaf

SHA256
d4253b5d58810e94776eb97a578fd08f93e3460bd46e0f2989cc547a7a2fa438

SHA512
8b500deb12ed76ca69725de19dccb822a2456ab18f5e6b5b50ea2f0a0a32ec5429b3345845a81bdb7b88e2e6c66cf8826c8d521139173900eb4234228fda0991

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
428KB

MD5
eebc420cdfa5e8a6b663d7032adbe569

SHA1
64e9b38db2eaed74df3f7d975e550594df7b1da6

SHA256
bb7dc63ad0715b29d4bf954cc5109481fbe8a70215d6b823c45a93db715eafa1

SHA512
07ecd024c7f30a986bff8ae873cb56034df4c387494acce991db7455e184440aa721e388331a4577a8b6a91e17fa4a8d95467b26bee9af6fc1a27e30b16edcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
428KB

MD5
eebc420cdfa5e8a6b663d7032adbe569

SHA1
64e9b38db2eaed74df3f7d975e550594df7b1da6

SHA256
bb7dc63ad0715b29d4bf954cc5109481fbe8a70215d6b823c45a93db715eafa1

SHA512
07ecd024c7f30a986bff8ae873cb56034df4c387494acce991db7455e184440aa721e388331a4577a8b6a91e17fa4a8d95467b26bee9af6fc1a27e30b16edcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\fierfox.exe

Filesize
756KB

MD5
11a4ea02e9db2d59618022a89e7d4863

SHA1
b9bdc077d33f7b445c6b5c94913be96943fd0471

SHA256
f139f9a6b690c47787a94aea90464ddb14a97c92a99a4e280aa9236e3356a438

SHA512
98e9ef6a6b311784c3cd8f45b2b05920821324fa6df99f959627f6a03a8648b69ad7e5cc99619008ab51aa54e0f62a8fec4410657abce2d5ee9ca58e0a62a948

Download Submit
C:\Users\Admin\AppData\Local\Temp\fierfox.exe

Filesize
756KB

MD5
11a4ea02e9db2d59618022a89e7d4863

SHA1
b9bdc077d33f7b445c6b5c94913be96943fd0471

SHA256
f139f9a6b690c47787a94aea90464ddb14a97c92a99a4e280aa9236e3356a438

SHA512
98e9ef6a6b311784c3cd8f45b2b05920821324fa6df99f959627f6a03a8648b69ad7e5cc99619008ab51aa54e0f62a8fec4410657abce2d5ee9ca58e0a62a948

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbscrypter.exe

Filesize
76KB

MD5
0618322a26c6c68013ea3f725c0f7a9e

SHA1
fbe56f43c0038b5471a41a082342326bd7858e8b

SHA256
2ae474ec4240e9b148ba065a9fa8c35183091753607d14de357c11f445c3f7cb

SHA512
117040e3c16d2ea60b75c843480c79e5821f3933a63ae2de518b5d6e302c6f71d0420167c7be902dab8e24b3e9d541d53ff6d5728f6af93066f005ab09ebdc5b

Download Submit
C:\Windows\SysWOW64\SYS32\sys32.exe

Filesize
756KB

MD5
11a4ea02e9db2d59618022a89e7d4863

SHA1
b9bdc077d33f7b445c6b5c94913be96943fd0471

SHA256
f139f9a6b690c47787a94aea90464ddb14a97c92a99a4e280aa9236e3356a438

SHA512
98e9ef6a6b311784c3cd8f45b2b05920821324fa6df99f959627f6a03a8648b69ad7e5cc99619008ab51aa54e0f62a8fec4410657abce2d5ee9ca58e0a62a948

Download Submit
C:\Windows\SysWOW64\SYS32\sys32.exe

Filesize
756KB

MD5
11a4ea02e9db2d59618022a89e7d4863

SHA1
b9bdc077d33f7b445c6b5c94913be96943fd0471

SHA256
f139f9a6b690c47787a94aea90464ddb14a97c92a99a4e280aa9236e3356a438

SHA512
98e9ef6a6b311784c3cd8f45b2b05920821324fa6df99f959627f6a03a8648b69ad7e5cc99619008ab51aa54e0f62a8fec4410657abce2d5ee9ca58e0a62a948

Download Submit
C:\Windows\nividia\nividia

Filesize
428KB

MD5
eebc420cdfa5e8a6b663d7032adbe569

SHA1
64e9b38db2eaed74df3f7d975e550594df7b1da6

SHA256
bb7dc63ad0715b29d4bf954cc5109481fbe8a70215d6b823c45a93db715eafa1

SHA512
07ecd024c7f30a986bff8ae873cb56034df4c387494acce991db7455e184440aa721e388331a4577a8b6a91e17fa4a8d95467b26bee9af6fc1a27e30b16edcce

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsAppl.exe

Filesize
1.2MB

MD5
ec2436cd141afa1fb1a976b12d98a17c

SHA1
eeda63b952abf0ff06199d56f6ca36c240672eaf

SHA256
d4253b5d58810e94776eb97a578fd08f93e3460bd46e0f2989cc547a7a2fa438

SHA512
8b500deb12ed76ca69725de19dccb822a2456ab18f5e6b5b50ea2f0a0a32ec5429b3345845a81bdb7b88e2e6c66cf8826c8d521139173900eb4234228fda0991

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
428KB

MD5
eebc420cdfa5e8a6b663d7032adbe569

SHA1
64e9b38db2eaed74df3f7d975e550594df7b1da6

SHA256
bb7dc63ad0715b29d4bf954cc5109481fbe8a70215d6b823c45a93db715eafa1

SHA512
07ecd024c7f30a986bff8ae873cb56034df4c387494acce991db7455e184440aa721e388331a4577a8b6a91e17fa4a8d95467b26bee9af6fc1a27e30b16edcce

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
428KB

MD5
eebc420cdfa5e8a6b663d7032adbe569

SHA1
64e9b38db2eaed74df3f7d975e550594df7b1da6

SHA256
bb7dc63ad0715b29d4bf954cc5109481fbe8a70215d6b823c45a93db715eafa1

SHA512
07ecd024c7f30a986bff8ae873cb56034df4c387494acce991db7455e184440aa721e388331a4577a8b6a91e17fa4a8d95467b26bee9af6fc1a27e30b16edcce

Download Submit
\Users\Admin\AppData\Local\Temp\fierfox.exe

Filesize
756KB

MD5
11a4ea02e9db2d59618022a89e7d4863

SHA1
b9bdc077d33f7b445c6b5c94913be96943fd0471

SHA256
f139f9a6b690c47787a94aea90464ddb14a97c92a99a4e280aa9236e3356a438

SHA512
98e9ef6a6b311784c3cd8f45b2b05920821324fa6df99f959627f6a03a8648b69ad7e5cc99619008ab51aa54e0f62a8fec4410657abce2d5ee9ca58e0a62a948

Download Submit
\Users\Admin\AppData\Local\Temp\fierfox.exe

Filesize
756KB

MD5
11a4ea02e9db2d59618022a89e7d4863

SHA1
b9bdc077d33f7b445c6b5c94913be96943fd0471

SHA256
f139f9a6b690c47787a94aea90464ddb14a97c92a99a4e280aa9236e3356a438

SHA512
98e9ef6a6b311784c3cd8f45b2b05920821324fa6df99f959627f6a03a8648b69ad7e5cc99619008ab51aa54e0f62a8fec4410657abce2d5ee9ca58e0a62a948

Download Submit
\Users\Admin\AppData\Local\Temp\vbscrypter.exe

Filesize
76KB

MD5
0618322a26c6c68013ea3f725c0f7a9e

SHA1
fbe56f43c0038b5471a41a082342326bd7858e8b

SHA256
2ae474ec4240e9b148ba065a9fa8c35183091753607d14de357c11f445c3f7cb

SHA512
117040e3c16d2ea60b75c843480c79e5821f3933a63ae2de518b5d6e302c6f71d0420167c7be902dab8e24b3e9d541d53ff6d5728f6af93066f005ab09ebdc5b

Download Submit
\Users\Admin\AppData\Local\Temp\vbscrypter.exe

Filesize
76KB

MD5
0618322a26c6c68013ea3f725c0f7a9e

SHA1
fbe56f43c0038b5471a41a082342326bd7858e8b

SHA256
2ae474ec4240e9b148ba065a9fa8c35183091753607d14de357c11f445c3f7cb

SHA512
117040e3c16d2ea60b75c843480c79e5821f3933a63ae2de518b5d6e302c6f71d0420167c7be902dab8e24b3e9d541d53ff6d5728f6af93066f005ab09ebdc5b

Download Submit
\Windows\SysWOW64\SYS32\sys32.exe

Filesize
756KB

MD5
11a4ea02e9db2d59618022a89e7d4863

SHA1
b9bdc077d33f7b445c6b5c94913be96943fd0471

SHA256
f139f9a6b690c47787a94aea90464ddb14a97c92a99a4e280aa9236e3356a438

SHA512
98e9ef6a6b311784c3cd8f45b2b05920821324fa6df99f959627f6a03a8648b69ad7e5cc99619008ab51aa54e0f62a8fec4410657abce2d5ee9ca58e0a62a948

Download Submit
\Windows\SysWOW64\SYS32\sys32.exe

Filesize
756KB

MD5
11a4ea02e9db2d59618022a89e7d4863

SHA1
b9bdc077d33f7b445c6b5c94913be96943fd0471

SHA256
f139f9a6b690c47787a94aea90464ddb14a97c92a99a4e280aa9236e3356a438

SHA512
98e9ef6a6b311784c3cd8f45b2b05920821324fa6df99f959627f6a03a8648b69ad7e5cc99619008ab51aa54e0f62a8fec4410657abce2d5ee9ca58e0a62a948

Download Submit
memory/320-65-0x00000000012C0000-0x00000000013F6000-memory.dmp

Filesize
1.2MB

Download
memory/320-62-0x0000000000000000-mapping.dmp

Download
memory/432-87-0x0000000000000000-mapping.dmp

Download
memory/540-79-0x0000000000000000-mapping.dmp

Download
memory/560-123-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/560-114-0x0000000000000000-mapping.dmp

Download
memory/560-122-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/560-124-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/664-82-0x0000000000000000-mapping.dmp

Download
memory/868-81-0x0000000000000000-mapping.dmp

Download
memory/896-58-0x0000000000000000-mapping.dmp

Download
memory/1304-54-0x00000000011F0000-0x0000000001342000-memory.dmp

Filesize
1.3MB

Download
memory/1304-55-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1312-98-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1360-104-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1360-95-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1360-117-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/1360-74-0x0000000000000000-mapping.dmp

Download
memory/1460-101-0x0000000000000000-mapping.dmp

Download
memory/1460-103-0x000000006EB11000-0x000000006EB13000-memory.dmp

Filesize
8KB

Download
memory/1460-109-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1460-112-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1680-84-0x0000000000000000-mapping.dmp

Download
memory/1764-70-0x0000000000000000-mapping.dmp

Download
memory/1924-91-0x0000000000000000-mapping.dmp

Download
memory/1960-80-0x0000000000000000-mapping.dmp

Download