cybergate | 76d6e0d84fe8bb058c18874142ea4afaa8fefc8a4ad08a1f1202142d281226fa

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
Size

610KB
MD5

f439ab99b610130c4452c1ae21ee39bc
SHA1

5ea3e7b5b6ed6a460b31be5d3bb2fb2e668a343a
SHA256

76d6e0d84fe8bb058c18874142ea4afaa8fefc8a4ad08a1f1202142d281226fa
SHA512

232db5559f2ea0192687e92f3a2687b41cd79faac1d95a50fb3a2f33693690f0a34f58fff70c61414b97a484329215cb449a2b4975b83f4070eaee7c0e405b57
SSDEEP

12288:qBMmKGnhDT+JlCu0G6KC2m9QnNSSn7WCNtXQ5JaDYrzUpi86KMl:IMmnDC+uuo/Sw7WC8JaD/pQz

Score

10^/10

cybergate expst.no-ip.org discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

expst.no-ip.org

expst.no-ip.org:1338

expst.no-ip.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
System32
install_file
System.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
ESTOU TESTANDO ESE APLICATIVO SABIA!
message_box_title
Executando...
password
59255433
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\System32\\System.exe"	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\System32\\System.exe"	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{JWL47HNW-G1M6-RQ6T-0162-FSP5EMTG087V}	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{JWL47HNW-G1M6-RQ6T-0162-FSP5EMTG087V}\StubPath = "C:\\Windows\\system32\\System32\\System.exe Restart"	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{JWL47HNW-G1M6-RQ6T-0162-FSP5EMTG087V}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{JWL47HNW-G1M6-RQ6T-0162-FSP5EMTG087V}\StubPath = "C:\\Windows\\system32\\System32\\System.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2844	System.exe
744	System.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\System32\\System.exe"	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\System32\\System.exe"	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4916-4-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/2844-168-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System32\System.exe	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\System32\System.exe	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2844 set thread context of 744	2844	System.exe	88

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4916-0-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4916-4-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/208-9-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/208-70-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4444-74-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/files/0x000b000000023b63-77.dat	upx
behavioral2/memory/2908-146-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/2844-168-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4444-172-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2908-173-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/2908-174-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1464	744	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2908	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
Token: SeDebugPrivilege	2908	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 208	4916	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	83
PID 4916 wrote to memory of 208	4916	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	83
PID 4916 wrote to memory of 208	4916	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	83
PID 4916 wrote to memory of 208	4916	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	83
PID 4916 wrote to memory of 208	4916	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	83
PID 4916 wrote to memory of 208	4916	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	83
PID 4916 wrote to memory of 208	4916	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	83
PID 4916 wrote to memory of 208	4916	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	83
PID 4916 wrote to memory of 208	4916	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	83
PID 4916 wrote to memory of 208	4916	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	83
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55
PID 208 wrote to memory of 3548	208	f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:4444
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f439ab99b610130c4452c1ae21ee39bc_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2908
    - - C:\Windows\SysWOW64\System32\System.exe
        
        "C:\Windows\system32\System32\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2844
      - C:\Windows\SysWOW64\System32\System.exe
        
        "C:\Windows\SysWOW64\System32\System.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 548
        7⤵
        Program crash
        
        PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 744 -ip 744
1⤵
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
7ae53afbb9089900fe6a7c0c23c132ea

SHA1
68fb52a7939fe34ef7a894b9c1468f5cd15fa299

SHA256
e8458e90c911c87efbf8eb9a7bc633935a0624a091e4e3ba910cd83f79127c07

SHA512
7b812fd2845f5e5b07cf8344f7a2358175507994fbf7b85e8c22fc79e539e5b56cb9b73a31c7d88e916128469fbff4db22731e711e0f1842fa7aeaa216de9ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b8b9b2e78fd10d5830e21961a4e6b094

SHA1
38438dfc1fce6e2da7337ae8fb7099535f9a76f1

SHA256
9ca20a9156af36a407d484a1b612ba759bf5dacd8a4f1f6a19f06419cdeb4bc1

SHA512
239c77ff770ee895b8775b5e5d6e26f8a09f9130175c093a4212ccd6e22b926310293105b1c3eab9d825e2614d9d7d8418c6062a88420072e5e5d55e60da5e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9e6f2794a9d95fc120a44cfeed897889

SHA1
642556606e23f226dcba1b427170dd81758b3f9f

SHA256
0403c571b39bda48f42f0de67e342c15eb6e072c65866811250798c993fb7067

SHA512
ae207f09493a33ea8c5a64d6a6bc320d5742750afdfb3d52aaaf2fe65044aadf733e605a0991502b3da6eab2a7006e0fd6bdec3cd236c8ae4d5aa6e7224323fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dbe30d82c1055c7d267c4c4067df0f05

SHA1
1bac6aae34f938a416a5dfcf6baea2ee16ecae0a

SHA256
81fa441353eeafdcba9cce2888b136c5640a7114fc4c3de9d36180d472d65b80

SHA512
4db078762943ed89f1e15c69b1bad9b81f7e954ac13ee550765b1ca937957b08cb7a70217614a3f36910e388119c0c58f13de5a305102bdefde2ad02cddbcd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d9e19a5df2f4b356c61231edc365784c

SHA1
308b356150562569167ca30fc2dffdf0e6cce2d3

SHA256
90d9d2932be33bf8956e16089612679a80599a49d7e28568b257415027775fa1

SHA512
a7080b720207445b89a7148602f6211fd81bc0f96ac498769cbdc4321eee574ec4ff16f8315d9b55710bcc3c9488ceea6fe418d4d0f95765f832c95e778a2bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
65ee2293d8dbea989d5b9615c92d125e

SHA1
073812dafceea213e46a0cd5d6c3ea119a436605

SHA256
2eca8de55bac0ccf8245d3afc18b53f3e1622f7bdd624d4cc7dacb46e9a64e4c

SHA512
e898fe4a9cc92f224c61e434ca9bd7afafabc37470608703f00dcc15dcef2f541ccf6ab74d69bc58da71fe379003832eadf6075d6a06c307df52fa843b1dbde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4c60abf0d601115b028ac641154323dd

SHA1
55c9e3b9e19df6a812342744f6481d2b8bad191a

SHA256
79a50f23773aedbf4078816e0fe566cd85ee946b655867906ead3bcac864cc3e

SHA512
b4da356ecaa7d43939b495ec1d61428c7d5b14730449572586db3a2aac715e34625bbceaeb898f3fe61bccff37299e4a6d76b642fa401f5b028cd7c723736f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ff230cf43cab22b665d154d035f02bff

SHA1
939ed2cc3065cfb993596a16c3cc6d8721bfcaa7

SHA256
9db49f0b42c740f23856d19b0e5509245b0fd7023b03624b81f09f5b9a6e1b21

SHA512
67823b1ccb943e5fdd5a4d440bc6cfac3c4df1460ba48a95643ed202467eb84bb72c3e8d0c1aea920a2e9ea5e0ac587824d336f8e99f875d1d3ecd5b6bc2b310

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a1217476c47e35d6ba448210d00eadf5

SHA1
ebc265bb464fd5258170b6c2e7309b884ea4b475

SHA256
fee50bc5e3b444880ce8bced25af16e7f208cc13ffb4cefc4101ed6991418389

SHA512
9921c45381d782484da58b06672d6f2cd381b89a781d1d348ff31de618603acfd3a85df2a0fda769ba874e0b45acc69053f71f834eb007b01456400df736193d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b3ac037cf36c83e881c86899fd7fa1b1

SHA1
d3f95a035308588480cc010949ef1e96e40b3110

SHA256
3a15123b9f65a1c29c13c5658b93175c4c408400a2f6b1a40b53be23e2900ff9

SHA512
c3156ba28c7af8061980ddd0075c9757cb8033b2d555e5e723c2c181f0b2b18395b0fcef610493e30331952e2af27f3a9a494a672402c5d5f88bb70724a572fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aea2c30d8dd362022837a1532922b459

SHA1
16d4231c6e94c5885c60a9056864bf334e1d5957

SHA256
1797cc72e47ff7a72a8f083641e38adb70bdbb377924c19fc64d735006a5439b

SHA512
24ed75b2445e51f033b1a1d778399aae0e53734436be61cbdce251ed3cbb095e2f10d5d0c6f4ca8eeebea9258c1eef3adf362ee2be8eba35051950944c69bb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
15bfc34b093d8154aeed643bb4e56496

SHA1
96b20824bd5377878f1f236f0bbfe8a21a307497

SHA256
ab561afe6f0a29563faa5d4d08e30db15bd74edac9be2b184cb279fd408b3512

SHA512
a8b42ee490a77082355bda23bb5338ef8c574df9c90781edd3eb52da104a26bed5bae13f8ef01b226282d01df589347bc408a568a4114a08d3de648ae08989a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0ef52322331872f3c91d3ffb03931ae5

SHA1
0458a89d749a08e718352caeb5a0e01b657c608c

SHA256
0cc57ee1a98f223b58758b784b1bbf2cbd8a3c70737da1201200dd304b20eb82

SHA512
b180affed287c3dfbc95179f03e7854d77f116a90646172e9c08e204870dea96d159de6b921846f05d317be79495224af64c14e0e8d990ef97a7d2b819ca26b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bfc98cf9ae39b80921738bcd5b3a851d

SHA1
802ef99f809fca0c5f6859b543aa4d03552ab95b

SHA256
3e327752fcc41929da006cfd14a35a70b088f68ef68e1e8434f9a2a3f1a1112a

SHA512
83900a5652f1af19b24eaf513a147b2df181a450238b82a7aa94ae1779551ec623abc33f942cf73f5d87653182039a2c6009cf317a9924b17fb33f84a8c4fdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b34f1c95372cf8abd1e0aed998a772e7

SHA1
8d7dcc4e75b3000a1cd9fab76c50b82f11eedd59

SHA256
c68dd12b06a2d2b40dd83267d54f6082b0f420bc99689d76ac05e41392adc8f6

SHA512
be471c226072dcbc2575588346be146ead1bf0dec040e8edc2e9e5dc51b0c9706e5314a4dea82553ce3debc05991c56a67f44aa0b227021df995e99fdaffb836

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
42584ab687dfb4adf336b0718b5a39f0

SHA1
05cd06afc180da63543a975d08a0c40d11c45bb0

SHA256
dd172bb77bb4c31acedf1d7fd8837df32ca463bfe842fc15c7f9a4105375592c

SHA512
fc0b437dbc8705215ba3c8534548fcef4d1c22c84d7558a9a1c8180d5b279aa11fc64742fd42a355ed884fe2018d01b51d7a8852e1845e68c6614a9fa93c7d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
da686502320aa63bcede6d79aa291093

SHA1
34ae98eb7c5a0979fc4534f273ae77f6199fc2e0

SHA256
0875b60a4429d6d8adb64d2033a3032da3ce5ed8e1e5d770235722ea6cfc6b5e

SHA512
7bed6b9ef69b80278cbb5f93c49942a43c62669a20e250a45fce060d529f52a955c322e489bcbd935f638c47730b63396edfa9e5f6a898b6089ecab5680abf4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3710dd4caf67c22676adf54aeea83f21

SHA1
69cee73947b75d425a82ef2a27a0020dd53325a1

SHA256
791bfc5b0622cd0606fcde8d2c45a32242ece775abb9290bf41ca8ccee824008

SHA512
67501a46ae1c1896dff27c94e4207f5d67d38ce0dc129f0c2ae36114de69fc5469517681184df19265e99c6f71be01fa61a3c09cb08ac244d6dc5e252a819949

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e1a2850414a8670e45cd2df75634a88

SHA1
e794b20038ab878e1267724287ce2c0861183d08

SHA256
71d0e26bc31c874439d0572450874847898b32ea6e4786df826900582b5e068c

SHA512
7a3d4743c7c3667ac211fa019a5fa436a42c66eaf5b8954d99b6d99b9e9adeeb1de1a98a38a635c6dba83fca53bbb933e3ebb303c53aa67aad8916e059993ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e79f4ea513c0b509a88902ef8acac78a

SHA1
06ae895bc5f140f5302eb8e9b9614f21effda06a

SHA256
39eed574f69b1bca2f1dfcf71ba0da03032649176c4a8fc212e087936db86820

SHA512
23bd0e1d0a81ba71b1340bfee0aec6db6a50187180ff5838178b15f648cbcf24f9a6c0ee49de9f1eaa2f802e109160d9ed8d1ac0a0966babe5514903adea16cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8f6bdb9c6617b6b1373cd02223e7826b

SHA1
52ac07c183d80748491cdabb80150ed696711776

SHA256
9ba07167affbf87b365403367bd58fc699416b9f4c724fdcd68856971f9e9c15

SHA512
53276bfc8d11de5a6d45a54df758f1183a7137e011fd4acd2e2bd59045d0a9a219cb1e6fa3813a35511aa7b2c42c109de25e8fecc49a8cb6ee123f757ea21eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7611bfa621869c85b04726954265ea11

SHA1
a76c0473d99c656021a30b415e6fef2fdc1064a5

SHA256
e7f71dfe6b08b0c4e0539cdb20e74171239337a12d787c654b0df42cc1255490

SHA512
645cf0a952fb8fe3fe2a8fbcbdbdc93a879d937150b5aba8fae9e8ec532c782da97b61b303cadd531889b87125ace7ff9c6f0b76f36aec58ed7188697f1bbdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f659e5bf1e438a7909ad2dbc12e852e1

SHA1
b630b7837f9535544b4ca2ab37cfa7a9890e54ac

SHA256
4dbb4b20c3d10fff17c9e8d21bd8cfdcfddc1e991c567f3a5dbae196a45ae11f

SHA512
ad3d922519af3b57d9018dcb3b6dbf7c581bb718e563fafd5b4cfc2e41ffe51db9c731f0eaa2f2460028d8864f19e7a2ae17859d3898c5c2a93df781b7acee2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d317bf9e77166432713ca4eafea0aa2d

SHA1
b6af5d5e3ec7dc5b3a221530eb99bab65ff9285d

SHA256
08199d45721c23302845320f07ea5df44033be4bf3969f1768999df316f5a5f7

SHA512
68765016e29e18ab484807d3c9a0e6d10691af455ae81d94715d5a3633432e0f6f63ee685616bd444c587126cda7da22f52fbfa95b4a696c2f9016f84c510524

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2c218f1765b794f3b34a31b189b48efc

SHA1
27380c8e984d1136321b92800980440a4169ba20

SHA256
67bae2a55d15728dd7b941c5dcf0633ffe6aa290166ad013d743f3b8c37ebb83

SHA512
53703130d3a779305047b784a3022ecc422e05231cdbccff70339fefdaf48bc4a04c80dab527c9fbee825d86752628d4e0f10c21e375dcdd45fe5f9a0d72a1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
097a895edb1545c89ea2668b0154ec9b

SHA1
748ef82b961bd4082fc2e342b598912231357572

SHA256
7b6fa8cdabb3af3a1c14b68b94bbb40323d38e1c46a685306b2d0ddc0e5c67e3

SHA512
ca652a20d22bf1abf176bbe07cb50686a2e649a97c295bda264db66220709c0624f2534e145be910ed86c10854dec747c34b7c84f53fd95062f9ef5a000e5096

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f9bc99dd747405fd326d8fd2629556c6

SHA1
261542a1e175d0ece9fb05a3d4cc39a3d50b2165

SHA256
59068c48b152dd2c43fbb7394ee811a31b05cba084dcc4bdef9d1a749408244f

SHA512
c19273af05656b4a78b435ea9dfc79b8618ee6e2e88135ea3dafaba75199bfe3096e8839d6f7c01d147ed32bef1323ebd8f78dc3e8d9dd784e27bbb7813b4135

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4cba51fbf7891bdef257145ee94af92e

SHA1
94c331d0afa9310488e3ccb8e742e9128cc7526d

SHA256
54b02248bbbed5a7eee7b05bd96ac34290e24acab2d99cc12fb35c9479edd366

SHA512
3b6079811aab7beadce530d98e071e95c6af6ab8a61ee765372fa0c9d22e4db648eb4cc8eedc2051fd9ea7d62aa7aada9443b84b0f66518934ec29c63fd1d0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d8000cb534dfc8692b25a5a74c094328

SHA1
5a611ba020f0da6c453ef12dfe402de5ff4a864d

SHA256
b0586b8ee0df12ed68bb5b8f1a7a69fa58e45ae3d442d2001c0a3cf675f3d480

SHA512
8cafea2d8bbc57d1c49fdd14c86669892f1070d74df39ed5b4e4704d43fa23f51ce47aeb8c30b8b257ef8449a7af3e7270823f4b7857d86f526fa5cccb53914a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4e4b63dfc10342693c2d75d394ede660

SHA1
7a2a4d1e0d1289a2caadacc01e2ecc6086f936fd

SHA256
04f7313f160cc508ef1a9e8cb6156190bd276054a2b4bd4c04e0b5c5ea4d50d7

SHA512
09c47454544546607378d4856a33012d0faaf58262a375934cfbe36c158b71fb0c073bf1522608ae35535324708ca5458769a2782e22b5d4068263809493f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
03d1f58be0c5097477321f2933fa535f

SHA1
29cd016b642e0b64049fcbcae7ac6ede2e40f4ba

SHA256
8b4f936319c57b261f9cc06cc8bb697ad314c680efbf34e557276ec992721c84

SHA512
63c246f0fd80d4481621598df794bd27fe97063bbc76059a19682f866c082fefa07f7bbe6579f5fb4d5afa65548e72d813650c9b94de73398c4202440f095f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5a19a048c743da9787988e115788d800

SHA1
c6d2eecb40a24390079e441c08a966f99c19e47f

SHA256
44fd18db4ccc4a936f5b30989b76853cea8689b152526d1112f9b14dcdf2c6ba

SHA512
aaf26369215e58c4041bdca45dcb9454f4f7ad07c03800b3cf9291b8a99f2316ad0687776e046a9fdda897f6566ea80b33e5c36973d6133357eaeb9b0f90983a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6925293621982164f39647de0714f67f

SHA1
4da42a4e91e14452a426f8c53d887ce6dc572624

SHA256
05adff4ac9d5b663227099293093f701f3bd3cbc8748c033d84fc699ef6eceb8

SHA512
ddf5295adc8d0b13173a583d0d7ae382c796c2012a748e8f80cf0981a3ae1f44e485d4c688fb95d499b93ccfca365535e6d7605ca7f1df49bdcdc117b48dd217

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7d4c2af172f4d2679414992fa09b7c5c

SHA1
fd0439de26471ffe9416b79d0894a6bebbfd385e

SHA256
0ad71b4d92f08e19e940daed4693e86ccd2991b07c71be5afacf3dfd5c6b03f0

SHA512
0c2865905d215e3c8e3386788083909e05d184a91bca6a2d4f7bb6a43ecbae8172e10e872d958960187161cacbd35fa33934755a53023e0c024c4682a391e74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ec26647a65bd0a472ee6f91519c99d5e

SHA1
aa1926da014ada562f1bc2456e72c6dc2611d311

SHA256
83b8617b0de4a3e343ea4c2f8c9b981bd4061a559d7278c8121ed278889afe63

SHA512
41e23045d12706c664f0e9129a8a5c554d082cfde8438e84c6e0a89cf2d81669e4965e63ca8e12e5230ad55561e01e6ec59e94403ca76fce036a6e3a2f3dd4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d350b2e9346b6c1dfd84c82712e977d4

SHA1
babd142fa895bfcc9783e627e3ab5e088dd94502

SHA256
d79f81f37b19cdc7178cbc0ecbbe7f9506332afeb1363238b790f686686381de

SHA512
7aa756f68f465119eaaed69786edae987ffa7acc88349de52fc9a552a07fcbc6d426a370d803ae8561872666d11d46d0fd9282598696f49e424fe32aa3956406

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\System32\System.exe

Filesize
610KB

MD5
f439ab99b610130c4452c1ae21ee39bc

SHA1
5ea3e7b5b6ed6a460b31be5d3bb2fb2e668a343a

SHA256
76d6e0d84fe8bb058c18874142ea4afaa8fefc8a4ad08a1f1202142d281226fa

SHA512
232db5559f2ea0192687e92f3a2687b41cd79faac1d95a50fb3a2f33693690f0a34f58fff70c61414b97a484329215cb449a2b4975b83f4070eaee7c0e405b57

Download Submit
memory/208-29-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/208-70-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/208-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/208-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/208-9-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/208-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/208-145-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2844-168-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2908-173-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2908-174-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2908-146-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4444-14-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4444-172-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4444-74-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4444-13-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/4916-4-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4916-0-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads