cybergate | 38f022c3a2d21a2e39a9ed6200bcf3be7e031fef2927983f558d747270ae57a3

Analysis

max time kernel
69s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2117fb3cce23a1b20c5b6aceaa1b312b.exe
Size

358KB
MD5

2117fb3cce23a1b20c5b6aceaa1b312b
SHA1

0e8d7d5c6c6dd8761c2cc0c75e18b92ee159a18d
SHA256

38f022c3a2d21a2e39a9ed6200bcf3be7e031fef2927983f558d747270ae57a3
SHA512

b7c5fb3ac71e30fc515c5d61a8ad76297c03db714752d785739349ffa99311eb791e85d9f334ba4b92d86cba35317981f4619186c6ea256991493ae30d179034
SSDEEP

6144:cHtDerrOTKGAfVP79nNyoAg45mkEmIkG3Rt8ElUveG2fZYlb2OpnFsBtSOQn:PKTKGAfVhcoxiHnIARzhlbZsBtSb

Score

10^/10

cybergate cagao persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Cagao

welldms.sytes.net:888

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
ServiceWin98
install_file
rundll32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
12345
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2117fb3cce23a1b20c5b6aceaa1b312b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\ServiceWin98\\rundll32.exe"	2117fb3cce23a1b20c5b6aceaa1b312b.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2117fb3cce23a1b20c5b6aceaa1b312b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\ServiceWin98\\rundll32.exe"	2117fb3cce23a1b20c5b6aceaa1b312b.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{76G6UD07-UO54-6V1W-FMO4-205E7GB4TK1R}	2117fb3cce23a1b20c5b6aceaa1b312b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76G6UD07-UO54-6V1W-FMO4-205E7GB4TK1R}\StubPath = "C:\\Program Files (x86)\\ServiceWin98\\rundll32.exe Restart"	2117fb3cce23a1b20c5b6aceaa1b312b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{76G6UD07-UO54-6V1W-FMO4-205E7GB4TK1R}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76G6UD07-UO54-6V1W-FMO4-205E7GB4TK1R}\StubPath = "C:\\Program Files (x86)\\ServiceWin98\\rundll32.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
1552	rundll32.exe
852	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
2100	2117fb3cce23a1b20c5b6aceaa1b312b.exe
2100	2117fb3cce23a1b20c5b6aceaa1b312b.exe
1552	rundll32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1480-547-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2100-850-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1480-1421-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2100-2082-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\ServiceWin98\\rundll32.exe"	2117fb3cce23a1b20c5b6aceaa1b312b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\ServiceWin98\\rundll32.exe"	2117fb3cce23a1b20c5b6aceaa1b312b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2548 set thread context of 2992	2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe	28
PID 1552 set thread context of 852	1552	rundll32.exe	33

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ServiceWin98\rundll32.exe	2117fb3cce23a1b20c5b6aceaa1b312b.exe
File opened for modification	C:\Program Files (x86)\ServiceWin98\rundll32.exe	2117fb3cce23a1b20c5b6aceaa1b312b.exe
File opened for modification	C:\Program Files (x86)\ServiceWin98\rundll32.exe	2117fb3cce23a1b20c5b6aceaa1b312b.exe
File opened for modification	C:\Program Files (x86)\ServiceWin98\	2117fb3cce23a1b20c5b6aceaa1b312b.exe
File opened for modification	C:\Program Files (x86)\ServiceWin98\rundll32.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2100	2117fb3cce23a1b20c5b6aceaa1b312b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	2117fb3cce23a1b20c5b6aceaa1b312b.exe
Token: SeDebugPrivilege	2100	2117fb3cce23a1b20c5b6aceaa1b312b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe
1552	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2992	2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe	28
PID 2548 wrote to memory of 2992	2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe	28
PID 2548 wrote to memory of 2992	2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe	28
PID 2548 wrote to memory of 2992	2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe	28
PID 2548 wrote to memory of 2992	2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe	28
PID 2548 wrote to memory of 2992	2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe	28
PID 2548 wrote to memory of 2992	2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe	28
PID 2548 wrote to memory of 2992	2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe	28
PID 2548 wrote to memory of 2992	2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe	28
PID 2548 wrote to memory of 2992	2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe	28
PID 2548 wrote to memory of 2992	2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe	28
PID 2548 wrote to memory of 2992	2548	2117fb3cce23a1b20c5b6aceaa1b312b.exe	28
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10
PID 2992 wrote to memory of 1380	2992	2117fb3cce23a1b20c5b6aceaa1b312b.exe	10

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\2117fb3cce23a1b20c5b6aceaa1b312b.exe
  "C:\Users\Admin\AppData\Local\Temp\2117fb3cce23a1b20c5b6aceaa1b312b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\2117fb3cce23a1b20c5b6aceaa1b312b.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\2117fb3cce23a1b20c5b6aceaa1b312b.exe
      "C:\Users\Admin\AppData\Local\Temp\2117fb3cce23a1b20c5b6aceaa1b312b.exe"
      4⤵
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2100
    - - C:\Program Files (x86)\ServiceWin98\rundll32.exe
        
        "C:\Program Files (x86)\ServiceWin98\rundll32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1552
      - C:\Program Files (x86)\ServiceWin98\rundll32.exe
        
        6⤵
        Executes dropped EXE
        
        PID:852
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c509a32177971e097d1347ceb9aa800d

SHA1
bd6c7ec04557647c06904bd45b9be12a456d0022

SHA256
33640fc0eb400788ae4d9dcb42a79388ce5bb9f1061164cb1e48e5e55f974ff6

SHA512
fc07b96bd488a8206d0e432d843b8a9523711855de81e851c72896ca95d301b5a1f6082d55d69d3e94d4ffecccc1319468f80af1c578c28aeb7efc99fb6dfcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
73fcd6cbce5680f81b5ec2badd0a7682

SHA1
1a463340b78ac6685b7bc968b4533b75c22d868a

SHA256
f56d0e9fac6e6a2c553ec76d3147ca78b578697b306f9e373659d7722b64a0bc

SHA512
43ff06af7969e25749d5352ad1667a43dc1f8a4ae6f678e2ddbf9b98016582bbd22e2215dabc1aa59ef965109a353f9a6e0dd008b23cfff222972005de8762c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cfe8a42218d7b4ae4049d802d948ae17

SHA1
b93c1a6ffb05bea1a7ccf0028b997e87cc4bee2f

SHA256
9923a12764bd52c8ea03b0e4d000bec18966c0844bf55eb4c1cdd52024f6f365

SHA512
5ebabf593e447ca285b5b5fc02b1e220b17851e903fb29e8173a6f1d0d7b5b3116c37a941a83c234f034ef91fc69a1c7ac9b4ffad48f53b1bb293bd4c1015b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b6ef4d4bf4fa7b50889cdd5a60d07be9

SHA1
3a153b5853de23824e6fc499bf091b78ff62119d

SHA256
fe17ce22b89fcfd88ba0ee6b6a42ad21a7cd4a2d7b548c43b03e161152a09bf0

SHA512
20bbc7a5a89087ce8e9d91b29f6593bcdaad2f6874005354e67580446e00f7a42008f48b4361f906149095b5a5740b119449285e25cf21d26eaefa8266e1849e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c6a533d2b138742b757d5f6e882a1ce4

SHA1
d8f1bc608b26f120e3eb1c76a7b4746dd4681e18

SHA256
715d7c59852d37b885a873146ecbbea169e8e54a8d67d49faeaf79f80ff6f476

SHA512
b973b1b536a0f7a4152d6120e5e2499ef01d7f27fac8e1bd10f0fc802fec174d117cd8e1ab0dbcc13a4ccd32646085463e12d91df1d5a6d03d59455539431b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
717678bef81b4d07b13e123ecd48d5f7

SHA1
9d1fd992486fd9ee198f6f3959e8e56d5c27d4c1

SHA256
1822f901e10ef09286ad754580d20221c369a9d6faaa1d6098ab617d490d67b9

SHA512
9b6b2f7ccd86837d6fc50a2d4e2995c17270537eb7a8db2e96a5b0dae63e2f3e1f5415b4dbda0aa66de3c359a9513ff42a7b5206fb4c71536ac5030a671247f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9575991ae5d14a330e69b15e0eea7b37

SHA1
a690e40dd9ef0020b3f60be79e1ffeddf958b5b0

SHA256
f57aa00c99b3870f690d3ea7755358563cc5ea781ad94637de924dab94f02cbc

SHA512
1a6427016e8edd3c0d3bad34b14dc009035303a9a4b0da07b92056f8c663d5fcabdb846d9807144781a6675d5de6ba43d7c3907d67946eb2ed28bfd187cfac4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
accffa2c9e32b180696f2172d26baaf5

SHA1
6aec8413d0c8bc680b2308bddac89203e837dde8

SHA256
bf29465dbb68964dfb6c0b94cf552f329674211c2f31616d75f19326ef51ad69

SHA512
02822566c17108987663c9fe586e22d8d8bfb49c590716c63436f11130b670506bf0c80bbdd98a99de570a761a7ac08371962c41160287aca4a212aef007210f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
31d2cf5aa1eb91a35551d2b8b558c6d8

SHA1
da142478e8a915959b295fcaac4cc49ad48c160e

SHA256
a2d26a6c6164109030ff9d51b61de8d366ddd4d12e7b7eb9873fd51203b146f3

SHA512
d29c64981d473b2a939761cdfa25b4c757202fdd2ce1cd95b07a2980ba734907d1f5ea866064791ddf00c356ba55a53ca3c504ef0e3097493aa40cf4c0202090

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
da4d767b7fcbeb0a68e7e6c9b53308e9

SHA1
69d2f159185897aedf73fd53da6ba6e3007c6997

SHA256
a6c8df4f5e9abfe2ce6d6a31d90f596a9592b7351f64dce6fe173f065d8979fc

SHA512
a1956724c93941bf20ed1ce8ff823c856c20a4b78ba5f6635fcb31cb1f7369438b5d1e58d4128ddbf7152615da8365f1c2bd2e4fe93e196b96ed90e6f31293de

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
60600615ac4c15b978fdfbbb6f383182

SHA1
f82005bb1b092ef5ccf98c564ed4392e88e660e0

SHA256
2fcb96df0a756588d3d4f0104e88ada12425786aef15c0004d9aabf18637b1bb

SHA512
b2508f395669b21cfa42f2c93553f5e127574ebd803294573f4b24ecc16ee77b73adffd949cc317f10d58751ca9a7aeffe9cf356ba679e6bd8a11677c4578f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f4db5d2ae1059eafff7db555dfac36fc

SHA1
564b931a0052546c293f9ea2e09594fa951f7777

SHA256
829163f8b6cf61386758902810d73c1730c5d71ec7e8f1946e36d6f17aa78224

SHA512
69cc7bc7d6b437ff57662f55c04a0b007efa1c860e03b0c83a54f44b21f8660bb06d481d9ced9797144898ff98952204440b03f41e07f26fc31278afe3936abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
14de401e93cad654579c7fc1ff569568

SHA1
2a4715628b8368eebbbc78198b31fb41f0009a19

SHA256
daccd42a1fbe212f8d539e3c2600e202896bfd2074b7a6997f96150bc3790f50

SHA512
21ed2f50311105ef6edb1727941438780ffa71c9a0334058071dfaa3432c1df58293804b6821754cdac17bd132d6174a108b15d63abeb2119cbbaddae3015b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b2efcca664f610d4e388ada0074add8d

SHA1
b7b1d3a5b6e06fc891ca064efa6ebbeedad078bd

SHA256
e674705de1e73917d3ec6111e022304f0cc921bf0345315e294601de777d22ca

SHA512
84b348067c1c81d046b5fb149cb51da524a943b3c62abeb2b1237febe4ddb4d73e989b845e115ec168e6b1a0f5538d3ac873989e324617af4172d950d0751d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d6ee3fdcdad3371541c07a6aae2d972f

SHA1
95cc62881830caaf494c43f704282aef27b9c6f5

SHA256
3c5b047bce2a536c5bf262b305201c677fa1e60ea8c9617d4d8579f84f94cb90

SHA512
74479da66153ffec8df94c6341a132522abfa635c5f9c78e19a81961c2afdf26c9699bfa372e01595efeac62039a9678f2ed51817ceebf70563633313e62a12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
33f4736d1e61176f6496588c6e4ef85b

SHA1
a0f3c6abe259dc4b9a890a19e2b4808f1b9e98ba

SHA256
288fcf9b58fafd641af0898a8ade324ed5f46965701a1c2285a91a2aba8c36c3

SHA512
e368b07bf82801fbb77d855e7d1fcc9b45e76631ed6f32408c4eded342725db5f110932bf5d9aa5ec59168f520ccb475f9afb8221b1f92f8e1b9c25ca571d4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fd8c80e6d38df2263788615d1c0e80cd

SHA1
7e7bcf8cae2cc27c4a789d15ffff0ca7e35d1e05

SHA256
a7f6e94e9d388753a219b07b8e5c3dceb6b94aee24da8e0bd26672bab9071c61

SHA512
780298630de6f7ef5ff9615c5e380bbcdda5f6cc333a46fc85bfc23f63c5dd658e2f9a52a0d97c49fdb4fe85d92bd79f899003d62dc60795ed72ac1842400305

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b84275cffbb5988e7e8673d63275f3b6

SHA1
c44ed23cea7476052ef32a512344b1c5d598cdf1

SHA256
2e0b514e97c9fe2bcc62dcd3d214b2ccd23d07b18fc1b431ecda427b7d3a000f

SHA512
a4b3916e7f5e7511616ba522cf6c7ac5df979309519ffd8e5adce9b3677384344a690a62914ef13d5adab3d81819cd39e26a17d06dd4aceaf9acfb482a8b48ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f126ac2fb5ced61ec01dd0c87bbef004

SHA1
0e7cb11def583bba4ac5f76e9ed0b67828b131a1

SHA256
31e976de1083cbb0d992aa3687499124bad64ec86755ecdab195207023117658

SHA512
a7fc1ca823d5da938d16caacb7d79528a205ec7611c654ab646c734a0a363bd1dfe6fbe5c17a670cfaaae1eff65dc1fd0a3d0fd125265027b3f9ae4e8782241a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1d6fce8234a7f52ad98f8b265760c7aa

SHA1
3a423462b9cfc546668f52b1cc2e62a381c592ce

SHA256
96cc1d7ad70f1803ef09f208dff45e8a19761b64ff82914f7c34aa31dc0c06c7

SHA512
3915c909a401fcb3b2dd7c9ba87e036e9f29c2d718338ebedbc14096ebf83a97eccd3c1c49417e81d6bfc6266680278878698ebadcef054e1067af275b3a0643

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4d893a1a9cae4c910de6d1adb55e15d8

SHA1
b61172578754adcc0c5181f949d628dc43f6f1ec

SHA256
e28cc024a92d33fb2da0c2227afcff62acbbbe64f7b9d73fe66aac5382b77d99

SHA512
875f2cf44a2cc176e47d4ef68f9152a04a09af3fa6b0b0f31e699a06a127e426a9d9dd126629264492092c2ebf982edd079e3f20960981a754aee03e6d0b1002

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
43d62e8c854bf4ea693c14c2cbfe7295

SHA1
3f3d735780d93d0ad6219f79ba9598525f5171ae

SHA256
9ad8fe3e53a16b789611280160262998001f002ced670715c297d40b0e0213be

SHA512
57277f81e80943d341a4bd4604e8f4876af0321c22b47da0a6b5a3ab3100ad9a5c7d8dca60b03a3000230f0fb8e44880d87f94f40fcda60472b42282bc859813

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
56a564401facdd39c1d0c49791558d66

SHA1
9ba33a37a14b3a6d6af9ac6363864d13f30c8f2f

SHA256
4214ddae0b34be0e9ba48a933d560e2e00b96795cb0dd51d14149c9f9f256ebd

SHA512
c0f788a64903571cdf69e44cb47148b38207432e6de5a42b617af12f96726bb758e16b5dced0091c816b29bb69a97add1138ef4aaf4ccf492651c0ef884a58af

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1c9e7c7871ef83127a8cfc3260e13d49

SHA1
067f8dd687dfbcf1aea3760c172f0fe62a444bbd

SHA256
707d0405d00b9aee3ad24c4fb1d178b9336680998170cc0b720837564640c1f7

SHA512
d04b8c4a05d77b67ac634c603e8f458f5b30454fb14219186fd691162bfcaff9e5f718507b7e129758a1f45f05a23ece2e5926cd165452d78232b7e1b7089594

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3682e667308689fbaa474f7e3587bb54

SHA1
32cd054974c926fee613ec2cd8648f33571ea097

SHA256
9165a398218548486c5882e9c1977fce904c906b20e3d9f9169e2dcdaae05dd0

SHA512
f0c701dabda916ae0cbb6983c4b4d3d13a326c7d105c013eac6179c3652b89f20ea66a872e59271b03502d17fb200a81390fc50eec19fbcca3237eb6f1effbf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9df0de4605286c92d01238a3fadc17c9

SHA1
2fd25f99a34b32d06e852cede33867ff70982c8f

SHA256
cf91e3a0ee7e60fc1aba82617cd99d602cb0a995553decdb675777f4f794efa9

SHA512
7d1ade3fb8fba7acfa741317414a1ae98dfddd9861fe7a7cd12e5137bd32cfd2fab3af7a721f8449cd4ac5867f216ef08e7c08a3ff4dc7ccb72122b4dfe0caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a5d7b87488bc4a9e456e64a561ed5ff8

SHA1
6ac6bb61bba09a8872599fffd4fc5976a99a4afe

SHA256
989620a02e6eb235323d2515f357f4b70e8f2ff1e4fce979fd20e94c7a551222

SHA512
2ae706993a8d89d915f147ab49207f1f3046e1590e413a63f4903c2b6ab2bf3079686ec31ba8f3be66202ac6860e351664ca28c6602454da36cff9638f687d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0872c8e66b37479e1a6607c712c1177b

SHA1
719fbdacc5b58700984ee68a0290e9db304f2e56

SHA256
04c57e3b8d42a45e3bf75f55b9015b6ca2366a31689533863b1e5feb205356ab

SHA512
9be5fb908c2ec5294dcf30b834910ed7ced1d1eca1bce81ef9396be553a18af851bc57292a382bfbc9817d973548eba0d6db8802583afc7484f04aeea58243b1

Download Submit
memory/852-903-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/852-900-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1380-22-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1480-270-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1480-547-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1480-1421-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1480-269-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2100-850-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2100-2082-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2992-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2992-11-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2992-10-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2992-8-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2992-6-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2992-4-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2992-2-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2992-12-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2992-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-18-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2992-17-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2992-851-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2992-15-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads