cybergate | ffb320ec60c0a19ad1a4a3dddd22075c6e66a94cbef4c321a6d09f5f3a36ae55

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
Size

548KB
MD5

ff3b7f563de4bd79698ca6e2ee3ca06a
SHA1

06e5eb41bec31f468229ea93a54976dc76eb4ad9
SHA256

ffb320ec60c0a19ad1a4a3dddd22075c6e66a94cbef4c321a6d09f5f3a36ae55
SHA512

29e2ec9acb0e011ed297b6bdeb1304ebd70593ec85b7b63ea89552ac05ed7f791797e79db7eb400cd4e08064e668ccfc2233bf6981ba0945ed16e83fd0a62a11
SSDEEP

12288:DuqrBDT27EdMxsygLDeFCv+WNCR0oX5M/k1:DxrVBd4lZjXB1

Score

10^/10

cybergate server discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

asmida.zapto.org:81

asmida2.zapto.org:81

asmida.zapto.org:444

asmida2.zapto.org:444

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
Microsoft.NET.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft\\Microsoft.NET.exe"	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft\\Microsoft.NET.exe"	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IU0B10C1-5Y46-H4Y6-CF00-SA8JM4BQ8747}	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IU0B10C1-5Y46-H4Y6-CF00-SA8JM4BQ8747}\StubPath = "C:\\Windows\\Microsoft\\Microsoft.NET.exe Restart"	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IU0B10C1-5Y46-H4Y6-CF00-SA8JM4BQ8747}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IU0B10C1-5Y46-H4Y6-CF00-SA8JM4BQ8747}\StubPath = "C:\\Windows\\Microsoft\\Microsoft.NET.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4916	Microsoft.NET.exe
4544	Microsoft.NET.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Microsoft\\Microsoft.NET.exe"	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5744 set thread context of 4892	5744	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	89
PID 4916 set thread context of 4544	4916	Microsoft.NET.exe	94

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5744-0-0x0000000000400000-0x0000000000673000-memory.dmp	upx
behavioral2/memory/5744-1-0x0000000000400000-0x0000000000673000-memory.dmp	upx
behavioral2/memory/5744-5-0x0000000000400000-0x0000000000673000-memory.dmp	upx
behavioral2/memory/4892-6-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4892-9-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/5744-10-0x0000000000400000-0x0000000000673000-memory.dmp	upx
behavioral2/memory/4892-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4892-11-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4892-16-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4892-17-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4892-20-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4892-41-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4136-83-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/files/0x0007000000023612-85.dat	upx
behavioral2/memory/4892-154-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2576-155-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/4916-182-0x0000000000400000-0x0000000000673000-memory.dmp	upx
behavioral2/memory/4544-185-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4136-186-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2576-187-0x0000000000400000-0x0000000000673000-memory.dmp	upx
behavioral2/memory/2576-188-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft\Microsoft.NET.exe	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft\Microsoft.NET.exe	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft\Microsoft.NET.exe	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft\	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3940	4544	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft.NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2576	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
Token: SeDebugPrivilege	2576	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5744	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
4916	Microsoft.NET.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5744 wrote to memory of 4892	5744	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	89
PID 5744 wrote to memory of 4892	5744	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	89
PID 5744 wrote to memory of 4892	5744	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	89
PID 5744 wrote to memory of 4892	5744	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	89
PID 5744 wrote to memory of 4892	5744	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	89
PID 5744 wrote to memory of 4892	5744	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	89
PID 5744 wrote to memory of 4892	5744	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	89
PID 5744 wrote to memory of 4892	5744	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	89
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56
PID 4892 wrote to memory of 3388	4892	ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5744
- - C:\Users\Admin\AppData\Local\Temp\ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:4136
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ff3b7f563de4bd79698ca6e2ee3ca06a_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2576
    - - C:\Windows\Microsoft\Microsoft.NET.exe
        
        "C:\Windows\Microsoft\Microsoft.NET.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4916
      - C:\Windows\Microsoft\Microsoft.NET.exe
        
        C:\Windows\Microsoft\Microsoft.NET.exe
        6⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 532
        7⤵
        Program crash
        
        PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4544 -ip 4544
1⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4768,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
230KB

MD5
e18d8cbc78b26b05ab5f2c9589fcc2e2

SHA1
e5931a83af7072391dca60220f66932c5de98c5d

SHA256
9605a26a6c7d61a5a7eb2f4586a3f7d8331f1894edeb3eaa6896a208ee664e51

SHA512
146b154c25599674c604122055e5f8982210d18078cb23d5037d46bc906c0899fa5762bab5b0fa8b4a65764e46683a6ccedc029f338a0a6f464e2178f9ada07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3b26093030e8b32b4d475346644854a6

SHA1
51dc46b55e8f292cf1d11afb04d4c70395b41314

SHA256
f4ddb612cc4d62a4c93705f61219a20e1edbdc2918cb6f11aa44e2afe01388d0

SHA512
1fbead627ed9a46094a51aca117453568ce37cdaeba726dd7a3078284ea563f0b30223003e95e81775f7c789ea729515338069917ba76c3ee711cf29549e3257

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ec110c34d55a7a78de752b30e9c0c57

SHA1
e905e8aa3a58b99f4a71ac805f660147a54636de

SHA256
130b15b4cb9661107fc2d617c57a4eabcc0f0b5d921ea7a1dc6cabb879a060f7

SHA512
94eec73771667e35b8e5bf9e893d43e3bd29677dde946bbd3973feb0ea5b3b4042b322c352fdfd23b55f648f6b6f0f1403a2b574a8bed5a153ef73c231fd7b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
96924c9d2c3e36e4c3b94e11e2fdf6a6

SHA1
8c357c69667f50377ecf9150a6d1e0a2e2c6ab98

SHA256
7e2cea1c68d9b200b0095dada5a6d7125cfc04e09d98b80b623a173905b8f8e6

SHA512
ae72674f5d7ef8e27ac6e013125b1bcfd729cc40ec1f2fb2e9b5611fe02e7828be859f9c5ef82f6d229b81075dbfbbd21a62c37cc935e09bc09ff9a25ceca448

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c4104335ac708489c664d989d930b4d2

SHA1
09259de1f8d6dcbd593c31de406d03fc608a4d1d

SHA256
d4a773b7dedca92966a583314144ca0ca326c31240a054630508556554f5e1d8

SHA512
b4ae70e4f04dd691dc3b8744d3731028849f3c3127e7685b384f2e01f1ce56b7f184d4b5986389cc9a92d462292fd8c653b9d24e3bacaf80d04b81824b8b0512

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a15aa21f59e3f2da22853756cddb586f

SHA1
2de5d7657e933785e2ef58663d8634feb16d8c63

SHA256
04cc646e7423948d58ac342546fa6e75da47135c6d89094b384ee814e2933b34

SHA512
346a8938248072492351d066bfb56f562418a71d3fb7bb9e7ba7cc78bec56534c50b7c958ca134f66db7d012667388140436f3744f2bba570edcb6d8b67a6c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b09fe8642d0483b2800a9a4100cd47b6

SHA1
5170740e3e92e467739fc1e4e19d79caee81e358

SHA256
0c1455e11a2955d4f8c57744ebf88e5f09564dbe3c2486ca83952961bb07f7fa

SHA512
70212888b192da9d0b5807979a4967fef4e9d049edd67acee1505c9d8a310168af962a14372c71fee96b1edcb2e0c81fc481f935294ed82681df9a9c7f3b806b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
502384de9be0f61f32e81378fcbffdda

SHA1
e71f115f234953ff5d34027308f8a72bcb72ba55

SHA256
60c0eb459a0e338c379186b22830383544b1bd0a497e1587055b8d3fcdfed429

SHA512
e689dff09ab3a65fb17c31686571f8aeea36f14cdb5c83452027b8da1987bf88f6831be341ba5c3b285ab10cfbf26105b3964b2bfd0900621212c38b2bbd85bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c5acfb64dff4e0c66d154fbdf0054938

SHA1
731a9e2168f3a55350d568a9e32574b910b87d94

SHA256
d840894ee186966e603c95c3fab23a94c1da5463f83bd2c3813bb53a5972460d

SHA512
3d2d68beeb1556ab7987781be1259f2233f5607f979d2286c73dd3b75c0b599c9d1fc1cffe90bb97e6908c337cb160db84bccce6ba24d74894d9e156c48fc65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fcda5aacd79327ed8683a28a8a708f8d

SHA1
b1eb3887dc57ca2ee51a92946633b6991f683d72

SHA256
a09d385cc4c4851278ae8f0398432922fdadabba96ec488cf6b1c87b15ff6fee

SHA512
41de6ffdadc0369b7fc12b171d97775c06e9e342c5cec0a29166bd54b8855bcb15221c365f65ae57f4d68ec181cb1e3d49903e6696cd644ba4db8de6ee710350

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ed4f04dd117a92acadd6f86e3c5c629

SHA1
63ffc00b38b7b227d77b49c135ba14f8d06d3096

SHA256
1e6a21a86fc4102b2b220ac448275676dcd21ddc91911c6991bcf894b907ec79

SHA512
016c83cfed5e32ce865c12a8780952343f06014d9eb76f985ae730ad29b57da9982c4f29f1d05809d01447c779d3c3496fd5b998f92a3984f21aa0ec01fe478d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4b414d64e690c87a006b73f5d55ca630

SHA1
d5d6d92d358cf6e8daaa106cbd7cde2f3a696744

SHA256
350af8b9a8c1229a0f1a5575e1b3bbe32d9fe0ec6c674d2fead882d973823b4a

SHA512
6797da5ceae4fa5dd36be57247708739e449a775ece978da6f1331f471b4955535dd9d10c7eab1a01f31b2c5e7dbc0556bfa8548dab9ad5ba35b81d7839052a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
da573b4d846708fb9efa197f69a45741

SHA1
e3ecc9c4fcd77e2eaf7d1047d1dd1c760d6b5ba3

SHA256
0cd16a3d6eec4f5ebf486b6ca2e837a767ab0ee55036d9adc967ba28dd8c458e

SHA512
b0c83b25fa50d73fcd092f84a7eb8770b824be924d42b12ae85e441c4c0a196dee4fe7eafc7e443dc1c77317a991e04f8c19bc3988ca625c5d052a30a94557cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d5771c8c2d9202b67789d92665b32fdf

SHA1
f4cff8f1e02d6fe18e10e5b9dc0513e39c0d8cf6

SHA256
1c082666d8890b054f458e27ec2c644f39c71238993007d03a100f781594218c

SHA512
e877a3bd632d682555b154c9f9ae4e2d726ae8e5b619313df45f3e09fd173bdec9da44cd6c2adf40319042dc4853a3a432b04d2d5ad63c7d6531bd1992242dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2b66680bf68b2280210c62265e682880

SHA1
dcb48684657ea635c792369981be57058ff23c38

SHA256
16072093d550f5bda661f9da89fdf3ee3438d813a750deeea759188b60928aea

SHA512
19eee998f56949afb4ca4a1abeb4700ae9f4ae0e216afdba5a56ba7abec43a2d973ebd66cd9675c460d0d13bf81504597604d9df6eccdf5d0d8a4e67a69407b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c33d01ce06e6736d103381fab8b4f70d

SHA1
09b053d9f7e37b38843f6f85d19eadb7cfcaedb8

SHA256
f6a9cadff6856e26f7fe171f2632cafd08747d3d935fae27c0de06207fbb6b22

SHA512
b9f01ab51880662bb22cba8c162d049c46008e7cac88e72cc9c296fbe8dd4f34bc77910a1bcb77e7d21b86342a9d25a6780d60680f872cb1935bc32f27d99b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c3f09657215b5937ce7ee99a09242749

SHA1
dea1a3f3b77e45d41c221cf74cef105f8a6e4a7d

SHA256
216dac02edd6d87b979affa4c86c56d71fc853839f454cd1168f8696d0183a9c

SHA512
713833b7f0a6de01cb40566c0f722f44d2fb0818dd467099177f77134d98c7b854d43c39961bd4edbb8e6880782b823fa2e0e33d3e7e83cb30ae21ec97566ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a1bd552fc482e63f4475ca65c21cd2cf

SHA1
aaecccc08f7d3e2a99afe1dfddb211434045aae5

SHA256
db60fb723a64b9f87caa39e991b2c2765f2daf51c313936c88fce4d013118550

SHA512
ae51f69d709fc1f9d901ccc778ec8bb0198dec65e186027092e134e4abcfed314c3a2384b9fcf0027c7ae991058d854bc38b19c6c3ceeb935f80de3abee283fa

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\Microsoft\Microsoft.NET.exe

Filesize
548KB

MD5
ff3b7f563de4bd79698ca6e2ee3ca06a

SHA1
06e5eb41bec31f468229ea93a54976dc76eb4ad9

SHA256
ffb320ec60c0a19ad1a4a3dddd22075c6e66a94cbef4c321a6d09f5f3a36ae55

SHA512
29e2ec9acb0e011ed297b6bdeb1304ebd70593ec85b7b63ea89552ac05ed7f791797e79db7eb400cd4e08064e668ccfc2233bf6981ba0945ed16e83fd0a62a11

Download Submit
memory/2576-155-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2576-187-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2576-188-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4136-83-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4136-22-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/4136-21-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/4136-186-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4544-185-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4892-17-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4892-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4892-154-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4892-41-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4892-20-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4892-6-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4892-16-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4892-9-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4892-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4916-182-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/5744-13-0x00000000005D7000-0x0000000000655000-memory.dmp

Filesize
504KB

Download
memory/5744-10-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/5744-0-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/5744-5-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/5744-2-0x00000000005D7000-0x0000000000655000-memory.dmp

Filesize
504KB

Download
memory/5744-1-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download