cybergate | 1d0128fd3184a765076397dd308e51bbc578a3639cb9c08ab6b5c36704d772b4

Resubmissions

14-11-2023 17:31

231114-v3qg7acf42 10

14-11-2023 17:21

28-10-2023 19:29

24-10-2023 13:29

18-10-2023 12:04

07-09-2023 12:10

Analysis

max time kernel
31s
max time network
19s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-09-2023 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Size

3.5MB
MD5

54837d1612edd427f413f55d6079fd5d
SHA1

d25af43ee7df4d41373d66bcba7da0a7d217c1c1
SHA256

8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f
SHA512

cdd9687d6382f5cd3ff031753e00b5cd2a6abd403e37547143d0ac8ed1447b243c5f24d34f98ac08c5aab62c232e9cac2c0b287d7df8cdee605b7eeb07bdcdb3
SSDEEP

6144:FSAP5c1MI2QLb9/REfzrjNG7i1BV+GKdyIpNd0f:FVTI2QLb9/kzHNGcaXIf

Score

10^/10

cybergate 1112 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

1112

111220402011.no-ip.org:8020

Mutex

XVYJ6C4S2P1EUJ

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Nvidia
install_file
csrss.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1112
regkey_hkcu
Nvidia
regkey_hklm
Nvidia

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Nvidia = "C:\\Program Files (x86)\\Nvidia\\csrss.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Nvidia = "C:\\Program Files (x86)\\Nvidia\\csrss.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DN65T524-XS4I-0A2Q-N6KC-H728FO7441XG}	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DN65T524-XS4I-0A2Q-N6KC-H728FO7441XG}\StubPath = "C:\\Program Files (x86)\\Nvidia\\csrss.exe Restart"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DN65T524-XS4I-0A2Q-N6KC-H728FO7441XG}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DN65T524-XS4I-0A2Q-N6KC-H728FO7441XG}\StubPath = "C:\\Program Files (x86)\\Nvidia\\csrss.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	csrss.exe
2240	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
1340	explorer.exe
1340	explorer.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral18/memory/2888-545-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral18/memory/2888-619-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral18/memory/1340-852-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral18/memory/1340-890-0x00000000104F0000-0x0000000010555000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Nvidia = "C:\\Program Files (x86)\\Nvidia\\csrss.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nvidia = "C:\\Program Files (x86)\\Nvidia\\csrss.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2840 set thread context of 2240	2840	csrss.exe	32

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Nvidia\csrss.exe	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
File opened for modification	C:\Program Files (x86)\Nvidia\csrss.exe	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
File opened for modification	C:\Program Files (x86)\Nvidia\csrss.exe	explorer.exe
File opened for modification	C:\Program Files (x86)\Nvidia\	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1340	explorer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Token: SeBackupPrivilege	2888	explorer.exe
Token: SeRestorePrivilege	2888	explorer.exe
Token: SeBackupPrivilege	1340	explorer.exe
Token: SeRestorePrivilege	1340	explorer.exe
Token: SeDebugPrivilege	1340	explorer.exe
Token: SeDebugPrivilege	1340	explorer.exe
Token: SeDebugPrivilege	2840	csrss.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
1340	explorer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1340	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2984 wrote to memory of 2236	2984	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	28
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12
PID 2236 wrote to memory of 1260	2236	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
  "C:\Users\Admin\AppData\Local\Temp\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      Suspicious use of AdjustPrivilegeToken
      PID:2888
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Loads dropped DLL
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1340
    - - C:\Program Files (x86)\Nvidia\csrss.exe
        
        "C:\Program Files (x86)\Nvidia\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
      - C:\Program Files (x86)\Nvidia\csrss.exe
        
        "C:\Program Files (x86)\Nvidia\csrss.exe"
        6⤵
        Executes dropped EXE
        
        PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Nvidia\csrss.exe

Filesize
3.5MB

MD5
54837d1612edd427f413f55d6079fd5d

SHA1
d25af43ee7df4d41373d66bcba7da0a7d217c1c1

SHA256
8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f

SHA512
cdd9687d6382f5cd3ff031753e00b5cd2a6abd403e37547143d0ac8ed1447b243c5f24d34f98ac08c5aab62c232e9cac2c0b287d7df8cdee605b7eeb07bdcdb3

Download Submit
C:\Program Files (x86)\Nvidia\csrss.exe

Filesize
3.5MB

MD5
54837d1612edd427f413f55d6079fd5d

SHA1
d25af43ee7df4d41373d66bcba7da0a7d217c1c1

SHA256
8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f

SHA512
cdd9687d6382f5cd3ff031753e00b5cd2a6abd403e37547143d0ac8ed1447b243c5f24d34f98ac08c5aab62c232e9cac2c0b287d7df8cdee605b7eeb07bdcdb3

Download Submit
C:\Program Files (x86)\Nvidia\csrss.exe

Filesize
3.5MB

MD5
54837d1612edd427f413f55d6079fd5d

SHA1
d25af43ee7df4d41373d66bcba7da0a7d217c1c1

SHA256
8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f

SHA512
cdd9687d6382f5cd3ff031753e00b5cd2a6abd403e37547143d0ac8ed1447b243c5f24d34f98ac08c5aab62c232e9cac2c0b287d7df8cdee605b7eeb07bdcdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
4116cd4e64685742e25dccbdf183fe5e

SHA1
832bee645205f6369cb69606ae9849f5d6df019a

SHA256
08e14700dc6fe7578f45339155c1c7bd44d51632541e339dd845c1cfb40da90b

SHA512
3c91479bb6a24b5e1f74757e900256a72ca50c092f1867e35d5f9022e507526d23e798e8da573c8df70e01e85beb5d0027f86a6ff7817181a812aee54e77387c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1fac1a70867887c7c78a1b2961828783

SHA1
3b7a36d555e54e8d0645d70d0f5ec995b9a32840

SHA256
830ddb3c0f66388f666da296b220f41f7d4ea0142d10cbbfb56e561e08c64903

SHA512
f72cf0f2b18e773500f6311a24dd945d1aac5b874adf13d2b3aa05731d6d1e99cb0d5ca12ca7958adec6142ba734f6af6e8df7f768d82b56edc6e0b1de26c7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fe5a7342f4232366a4c96d243006502c

SHA1
d264dd86a71759f1ddf07acb24d137cb0ae2b913

SHA256
0e42c776cd865c3725a46b99167041cb8b529136e22f476f887d915c5f7bbc92

SHA512
96fe6c8fc0bf3a7d15eb50826ff0e97d0ea4b657c71cdb4ba11acbd94986dc82a7555611a691db8813762fd6f4b6a429fef70f0b495c1fc93f479fda01af443b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ca8565ad0cc51e2700bcf79a765b8b84

SHA1
7b2ff74965c62540bd76e73b9021c9144eddc86b

SHA256
96c1c6b359435a42d4e42fac2361a97e7ec86967bf68b386c3c69bad09288343

SHA512
bab2bf19243f0b15ba5aca0cf24c0c20dae2a1faae72dff038b4f3e655fb0f2b5642c90f31c26e5d3c9f8a1ff92ba42e77d49a260c94f8a586e6b5a96432bd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
900986a8773f2f31945f50b22debe872

SHA1
9002bbb2ad72b66b8c10b58cd13fdfebba032527

SHA256
e4957bb78ee3c061aa5d8993bdd034134dadab58f1210b6b828a0aa0e16248f2

SHA512
1f6e94514b8f5e160a2dc66d1ceb2759842bb8a678b8381ce1ff2145053d35417083434c1b44047ef94798a1c4ea3807dffcafa117380b0897e6ca24020d198f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
daf477bcc23081b3af6ef9fa1f082693

SHA1
172b43229847c19c6c01dbbf097d8ca7416dc77e

SHA256
d0f9e2e6931d9ec3d7f527e90058965ef21e088908f352eb4c5065a94458503c

SHA512
6d365049ca3d4c401f805c513430cb7f408cfe13d8268733fb8ed501e85117926636768ba35b413fe4c6a2859b76947a65b46a7a13b700f1cdde7c7187083b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
689696913e02eac5287e773fa010a294

SHA1
9962d2c2efba67f330001f34833c3c849dec13a9

SHA256
8e29a1e032b6235d61ee159fe749fb97fa07e6dc26a08e22df046c9b0ca17217

SHA512
0e65cdb2aff506aa7f58331086fe1dd20286f9e453974dace78fde2f1f5927acc10db242bea7fdaea4b4c18f279516f3072558b49bd747d227875a9bd4d9cda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b0566a39ae5a8fc40a1957192effa531

SHA1
5306faa5c1b93767f272ba0b1efefc11673b1b8c

SHA256
1ab59bf3c1955c383e2dbb64ecb9563967c0e6531e788d199356da43ab974e55

SHA512
f42dfa03ebb2e259e0bd5f816a6dabcce4906d74768d9ee6b7d33328550eb2e8a3f35c68269ac17fc68801f782dba553a02cc0ee0ce94d9ec24add5714dc6cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e951fed00736af5e62d2266843af2b61

SHA1
8a8a4198e39b01e82192bad4ca8ac656ef43b1e5

SHA256
995f9d9175080b4a2f447ca213ce74ad6c89e84499be706a9547d0d9716e98e1

SHA512
46e7fa3ec17a45c4a1bf27fcf87a205f7e8ccab9ef925663f89ce9c5fd6cf5e7263d7cb3f6f02a962fc4f4fae89009ee3b30dc8c89201ebe3801743cc94cb35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a2cae4d3ecce7c56591bacc2a09943ee

SHA1
e832e4e74e3d90fedaa8142bceb04e332051fe71

SHA256
87defdcb0a05765bd75d640b42c8ac2690af0fa5c4a61aab5e6eb44d9900937d

SHA512
db59242759066dcd3ac6a021a9219b690e2b882e20233ed2e0e9cc88dc9a0e0a1cfe3d002ba9de7efa8620d1823a7343381af31e9991772cc288ab34683a96cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f62a112a0d10f7c20e11f9857dd16fc3

SHA1
57b1f8aa74984195e247a21cfdcc1deb62435cc3

SHA256
1684b701d6ce82cb6ce7760f134216a00bee479270b7856eeb54e47e18cee528

SHA512
fbe67405a0a43fbfc940a0abb8bec6b002e50c0bc8c92e011ff3194bb5a9e0943fdfece561c6902b4a4b652bc45978eb17b6eb9bf86cddc264780afb45956115

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8088132f47a7be86b3665dc898f0a79d

SHA1
4ff4e575d5aa51c24476abfb0a7043cad5c84d47

SHA256
977ec32e674f12f17a22100c199703a14a5b6689aea0dd3a435736155ab2b460

SHA512
50e8e6ebda7777135fef89a9b3e989f57b6c94df2e337bfe4df5054653251257807fa175ae683d0da468a24e6f973f5262286e9510cdb9e0156749fbca7a75f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6099a35b90eae8840afd539843e62fb8

SHA1
a182b31d5f2d2dbd127e39ec31d3634a76fb1f57

SHA256
8beed17c65b7d94273b1feaebedc5c785efc203c66326955258b07dda019307f

SHA512
95a32bc358088b7ff6f4092733bdfb27d96d570119afe4673569b61247907f59b664bdd72a855471f3459daae3be2682c68fdd1822898956dcbffdfa8662b814

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
85bf16ae01b8260830189014e50fe16f

SHA1
7702fb510cbd12567830d8f9983b452d35ae853e

SHA256
0608b24f9c3b57433103b1d955a4ea9e8007b9a3e9c767bc4ee229a195d01a3c

SHA512
9886bce2b2cf96b62b8aafad55dd7b84f681083eab2f7a1da3a656517f0640f727bef6d4eedb3ba819482efe4cf43915549bf56dd11328928f25d588d4728396

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f94d97adc080ac46bbdd8984fff5c788

SHA1
83e7e1daab576ad58281b5c9f838a28894eccaf2

SHA256
10aa6a0bb986f6bb54f83a0c6e2ef34a56ca44465d2692625322d01485d9daae

SHA512
e78a32a879ea00acfab0d93aa93f2f958e2c75cb0f92ef1e060e1d1e02ae7c976e251ec93e651881466eb4bb77633ef3e08c88b1e8db73446be29fe003a2dd10

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\Program Files (x86)\Nvidia\csrss.exe

Filesize
3.5MB

MD5
54837d1612edd427f413f55d6079fd5d

SHA1
d25af43ee7df4d41373d66bcba7da0a7d217c1c1

SHA256
8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f

SHA512
cdd9687d6382f5cd3ff031753e00b5cd2a6abd403e37547143d0ac8ed1447b243c5f24d34f98ac08c5aab62c232e9cac2c0b287d7df8cdee605b7eeb07bdcdb3

Download Submit
\Program Files (x86)\Nvidia\csrss.exe

Filesize
3.5MB

MD5
54837d1612edd427f413f55d6079fd5d

SHA1
d25af43ee7df4d41373d66bcba7da0a7d217c1c1

SHA256
8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f

SHA512
cdd9687d6382f5cd3ff031753e00b5cd2a6abd403e37547143d0ac8ed1447b243c5f24d34f98ac08c5aab62c232e9cac2c0b287d7df8cdee605b7eeb07bdcdb3

Download Submit
memory/1260-11-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1340-852-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1340-890-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/2236-314-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2236-7-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2236-3-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2236-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2236-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2236-854-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2240-885-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2240-889-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2840-878-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2840-877-0x0000000073B70000-0x000000007411B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-879-0x0000000073B70000-0x000000007411B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-883-0x0000000073B70000-0x000000007411B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-545-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2888-256-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2888-254-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2888-619-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2984-0-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2984-6-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2984-2-0x0000000001EE0000-0x0000000001F20000-memory.dmp

Filesize
256KB

Download
memory/2984-1-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads