cybergate | e8a44bf1bba48ff7c5e7d43fa015c5b08d701adb26f766d9fefa4716097a4724

Analysis

max time kernel
148s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
Size

290KB
MD5

61df91d6efac0cf943c75edfa776c511
SHA1

31901dfb5dacb7a86930ade676e78faba1ec22ed
SHA256

e8a44bf1bba48ff7c5e7d43fa015c5b08d701adb26f766d9fefa4716097a4724
SHA512

bae524223a253661e68a63dbb2292264e18088fbc126a22b59918a262b96484addd4e7b7a0ac46931cdfbe2a47e90c2797937effca3e8c3f6fb83215060a284c
SSDEEP

6144:WOpslFlqehdBCkWYxuukP1pjSKSNVkq/MVJbi:Wwsl9TBd47GLRMTbi

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

tata01111.no-ip.biz:87

Mutex

6SJ567S0T60JJ7

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CU7WP4X-8RW8-2847-AJK7-8JHH2C70DS5D}	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CU7WP4X-8RW8-2847-AJK7-8JHH2C70DS5D}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CU7WP4X-8RW8-2847-AJK7-8JHH2C70DS5D}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CU7WP4X-8RW8-2847-AJK7-8JHH2C70DS5D}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe

Executes dropped EXE 1 IoCs

pid	Process
4352	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
File opened for modification	C:\Windows\SysWOW64\install\	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3716-3-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/3716-6-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/444-68-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3716-63-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1680-137-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/444-158-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1680-160-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4668	4352	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1680	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	444	explorer.exe
Token: SeRestorePrivilege	444	explorer.exe
Token: SeBackupPrivilege	1680	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
Token: SeRestorePrivilege	1680	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
Token: SeDebugPrivilege	1680	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
Token: SeDebugPrivilege	1680	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56
PID 3716 wrote to memory of 3512	3716	JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3512
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:444
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2756
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61df91d6efac0cf943c75edfa776c511.exe"
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 576
        5⤵
        Program crash
        
        PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4352 -ip 4352
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
f1ef6ef35f67f2a11d17a7cff13a93e8

SHA1
41d30ef859c9b8f1f2dcbe9494e3d8eb27d9838f

SHA256
0439d6984804e6bc137df10a5319774e9feeeddcd6623ec48e59f7e926b022f8

SHA512
a89e06f3dd3d884f86d1b9afc10be836df384026b6415d5bcf5be67743f6b1be9f8ce0ef9bd2118e2f3d3484209d14b5d290d822287b089b1fbb1e14f03e959b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0748b0ad852cb670f7707e91112f408a

SHA1
9ed13f5ad34dccd9ad6961a2cb458fb7704cf3c7

SHA256
6a49700a544879e56c4184014b5eca439489a9969374dbee007b4b60a0232549

SHA512
fc56980676b9d550d165e479929661f77f76cdc3b46c5577530009ad61583af79e54ebf7fc0eb12178dd4253a309fa4b105f7d236141b663eedd696a8a06567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dd31d746bd979af0d1d8225551368eb1

SHA1
0d52d4b8032c7e15a65b3fbfef52cf652157b09d

SHA256
1e78fddb1dfb71f13369acb9415328a7f09e3644fbbed4436352a286c1d84694

SHA512
24f5203c9682463294ac163f05747475b7fccd2523d66087a627268d41cf4e45fb85d4d1bbb9861d137f8722cd48fee0037a3b2683944e451fb63d448be87414

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dfe6a280029ff4fb66d93259d48cf4ac

SHA1
20c08c69259dfacc6065e0c95966517bd862b399

SHA256
e6639ab97a8e9ae392c1f189f8818a9d068d3162c6cf55c3d6792f8b0dd5a054

SHA512
73f4b7253dc369d5fd4c983d322c5dd6fd1649c7254550d2708a01bccc393fec71e1f57e79aace41c86aa5b1e1f3160b87b7562d84e0faff15b69c30f59a6457

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1bbcd1f363540d874da913bbd837e929

SHA1
5c15d69a52a34938b177f54990390933f42510c2

SHA256
eaf4581d31406426655898612573a256dc7e95e97b1bc918f7c85a004a03e969

SHA512
5e6ecf6cd91001088743ac0de01e7eba5ccdd75eb07dfe3db2dc875312e8ddf11366a3add9ab19c94e55acb88d567190e3ab22f648bdc1361d16e5540c5de82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8b9943e1271d6aca8a1be7e5c485c1c3

SHA1
02884f79a7d373116e189c06551e4020effc4060

SHA256
cd058378ec50396eb524928aad54c1a77c80ff3a10bc22d1551e7d2f85341b9d

SHA512
e9bfb5f2d7ebfc5108dd00b4deedd9da6b570fb9f68df7c872e18851053657bed7cc6220d49b4454bb557b689984a68390f4cca35158e3739af184d302353b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0963e058ae2cfe9d9453150327e6b39f

SHA1
6ba5b2c1181d9c4d1cb68b2755bc130da3c26714

SHA256
afac17c7112620ce94dab89deabca12634ab35746c5e5e59746ede789e63238a

SHA512
05fa7d97bd3094661283a7c84979997dd1375f183f9099880b7ec199b5c3ccf1932040f101b0385dd1a28685018196196d18af7e83f839672096114250c36f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7b2ea1c7d95028dead3889c028f6a126

SHA1
b8698c7eda6c62c0021026bbcde95b07f9afe48f

SHA256
4eb4813e451760749f6513ee90bab580003042e4b045776adf4ec89c7ae943bc

SHA512
0d093a932200fbc2647a20e78b037e688acd52632d343de2ca040102a79de21733fcdf2414a3e83a40187ec24b3edd69cf435f4680e0f27f47b6b4f91ec1945f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5cd2c97f4cc78fc97aae5f66d5c7a73f

SHA1
c2726c955ecbf212387e5e03f2613f44bff2af19

SHA256
ec1ed48f594e66099fa8b5e3a342ae7296c65a42badee2756342d1f0f79dc16c

SHA512
4fa042f02a93a60402c72edfd744cb6de588bdb5f0aff5acd7be4b26a03c1aaddf293cffeb915c4124182deebf88161b972d16d9de1064c11636c549ba428b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
31fa5d582ff53baac75ecec6c7844636

SHA1
339c7c09b30694a31e5936dd9ec73339295853c3

SHA256
32580a1c8ece75113a1ebd73a4197ceccd2c6749e724386ae617b53e130348ef

SHA512
b7f40e61df9c152f9db464e7a4e51784dc2d7e771ffe3b5c36741f3ba60d943c31cfbf9420b1c898a2f8a229113fd70fa0abe1f66674d937c31d3e34be940d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
48793ba4e6e29dcfb89bf49b621b883c

SHA1
aa5f3b1ed73502e513ecb9cd677067861914d284

SHA256
f81b61a158d8e9d586ea6b113f23776d1dc55270cb060b6bce1dfd5cbbf1baec

SHA512
aee9cd9562a065dc31be30aca4f26f10f64a8806a3bd516873f6f3b3c8c78317ff5d11228f711564a207e25c11360b88df626f99f99f21ae84c347936e76eab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ee82483de886dd4d0758517f081783f7

SHA1
3ddeb9b6ae6ee03f91782db89652b36055ff83f3

SHA256
b72fedffe1192d3dbb3c41255e0c19b4bb41f339446b05991a588222248f789a

SHA512
5686da6bf40088837ea43eace96825750840f07bf72dcf32fc85eb6ab2e4dca8681794c9ed30d8814705fdcbdad9d67ffcc4017f22e2833ee3a1799a9b2d45c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7c76f99a15a8a13585ed4527684bb3be

SHA1
8dd9ae9dd08e90fa4e98f19ff8f7633371a83448

SHA256
f3e71f89c2064256a2d802b844f97ab001a105c490dbfd4ed3295d4aac93507d

SHA512
1906221bf5ef3341ea672b47296588a78e7c8e9921ef94841530623f58b7d0dfcc869e6d54a8dd810df232e51f4c8fa6bd0e6f502eed685007eb80233288789d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
02fe0546f80273d4a7a1cbdc1c6c5f76

SHA1
40903141fde244574b6c640aee221bca941411b8

SHA256
b8db5dc66388c9fbe67dc169b8bee84df442e2fd93628eccb6daf9e6f53e667a

SHA512
706d389f8dad9a9ebe3769aeeb89a8b4e46bfa996523fd5b51a7cbd48984976817a10a9609e10f7b77919f5b93f90c8a3cb86349150ae0658dd5890b2cd6f654

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
00ea1ff620825585569f8302b3fed2bb

SHA1
47dfd5a18d76bb7b51fc0d28c1d57e133704742c

SHA256
c5e15004d9bfe6d42760e1d85ecf53922f7a91e725c75deffdc92ca12e230834

SHA512
4dd8032d6857367fabe83d29f2f8f96b801ffde54b63667377b3a20aeaeb9caf39e6360a4aac436d4dcf66bab94d1eb8c89f6fe8cb83862ec1b9e542fb6e71bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
50790f4e05c8f1fe2a1b3cd8f06bb5fe

SHA1
da62fe60c6afc3a01b2a57fc058750bee96c2fcb

SHA256
91bcdd971746a2a826c79ff07d2a6c1defa47840607a5ba5936de11d7ffd0afb

SHA512
7645aba5c24b84f099d6eba21b13f434f5b4593d0c86884dd67f2b39ecdfef0a4a6578151c38d17ed2b7deefe62e86ff6e48396285f7723a82c0a2ab5dea4f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7a17d47c7b6dce90bdcae9bd24742ecc

SHA1
23ec72e4cbd46bfee40943265b9cfc5fecda8f03

SHA256
b16f0abccda6ae2312dce098904fc19c44c818e778186421db37c81f221b80ea

SHA512
82cba4ab2dbedc8b3c1b20ee6e52a252ccf9a5460b143d43ab955c46ba1520695945df4f8e42da99051e43248b5b9bede4f2c1eae90fa403354659e30f94e9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
69479f5b0f06db7e4ec30e727265b8bd

SHA1
6e61f7edd5c2d82d8e261d362b2affbc73ecf7d0

SHA256
c1db08860080d8d93caea8b0ca2f611a9a085992ca31f5d4c1b73757adb43199

SHA512
e1ad8357daa9a4c047ba1774e12778faa0dbf307c7a50d24cdecb36027c3cdaf289cd8d628ed169a3a339df8ee3da9fc2381555c6bd9e1b25880d3870519030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
122755d5a3da6f35cfe0ea8fdbcad4e2

SHA1
9a6f560cfdf3cf245348bf78162291da33d5ed1f

SHA256
bb1d18ab42279b124ea3194113ffe8ead80476c115eba06cb8bbd03cbb718eb8

SHA512
7567489468a627e7cb040a982a0e55a4d59500b1760711e13e17646c175429ff4ce2a27fa963fa2a77b2a9d2874eb41c2b3941a522af6859fc8e06a4c5550f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dc945ce15588fbb1de0d2dba4532ccf0

SHA1
dc5d7b454739cc190c0f1c0bc1aaf44ee46fb749

SHA256
b08509fc93c6203c0476e7ed9d17c1fca103212d44eec6f3de141ceca6ce4227

SHA512
8ec4354d13db7eb219f3daa31b08f6bff9af0cbb47dab1945a514118e56db2e38598d82b0bc5b23a808a9af66e456b6da88927b106acd1d3ea357eaae572258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9e5cc855cdc20aa660fd4ce752a23d3e

SHA1
0be9621e2b0fc4483b17c030cd29b040f0bc26b2

SHA256
29d56c964afb451a898e6b41408a66a5f9c2894130b3dc55c1793f0adf1e9000

SHA512
97cfc3f7dc4c7101f0cb3f75710cf420f7ada406564c4ecfc9f42f170c69ccd93558218ec89e1d2fc870bb23bc68417da52d39061a2156879ed6dc9c56fa5088

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6fccacd60070815ee3f85bf29a9bbc2c

SHA1
38a399f0976ca7d986ec85d4d7fddcac9d83574c

SHA256
04c5db5cbf2e6f5b0485be3c7873edd777332994cfeadd70df08e665fd5837bd

SHA512
f40b6deb0d61ff1dc71ca7ab7cd23fdd4905455849fc4eb4500b1694888e1e5dbdbb7873c50afa96477f48b23f5250b7939c90557866eca2231e2cf97a8a1dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7da17b0cacf0b0bb7a4e2672649fe449

SHA1
321fa49a934b35e2bd2da10026ba873242763b5d

SHA256
109fdb062f28260e4fbc5a6666556617e9fb297deaac13152026b4b51dad2efd

SHA512
e2a2270b5f742b6adf2148cd7b71f436f9ca61cf4177875530872d9ab3980da32065fd828aa031aef32100b58cd943d2a30607677123d7662c19efe3eb7dd6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2277a4c0473f0d8b55218d8822fdd665

SHA1
4adbff014919ae46fc330b255a2ad45d0c4d3a62

SHA256
3d77b9d196a5bda7b5238eea79d0bd2f0c1a87d6f10288a0770c5b034fe43d2b

SHA512
6b4eb6670ddb94987143311ff5760023c4dad2e11bd8f52413e3fb6b24dcdd4aaca4231b0da2dbea11ca8441a4fb91090aff82730bf774792978dcd12709d603

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1e749b9ac99fe0f2696bbb020112294c

SHA1
224c7f62bcdf998edbb54b8ab18e494fff3a6f08

SHA256
4a518ce5594154ac13202fd75084889e111821e625e8903097a7d54c47bbf28f

SHA512
39b2ce23146b6a93689209dd6162e95618d3191298573382a70baac2ea347bc03d6524a9bb05f2bad625204af2d88eaebdb83598c35a7f06d29de97639c09c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
489a3d2b3332a6b395646b5ab4081c8f

SHA1
b02419f2b5ffc88900073e809f02abdcc40b9d91

SHA256
c445f6da7909917fbf0309fdada4a871a6f0a0271504faf3ed46fd1e4dfccf4d

SHA512
98c04177526352a071aaac65bf14042a5afd1c1eed137c5fb9f6d4f45ea7bddfdfba6100527bbfc5f1f57db5b7f8cd62ec5c93069069084707bb5a10dd274998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
58aff0f2f88ba0f5a53d05477b744c21

SHA1
6a52fd4c8e82964fd076801e91dc272e8ccb7676

SHA256
72efc558536d66e57854246a9f35bdb9b93fa0eb71bfdac981614371fb57ea8b

SHA512
b0115f3c88fdf79a2d1baa49577184bafa13d985ca81a31768f1cdf41e0f452678ffc786cae626aeaf5fa018c23ec4e09510537e46891a56b3264e0f126532b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4492d71438d62089ceec55b322e80ce0

SHA1
fa0cb5b035279b2b58eb2d1909c82db75c44edf4

SHA256
0dde08eab8f9a8f58251eb69423c770ee0c240c812aa93cdbf12ba65d612dab4

SHA512
b902506e175f45ab476b3cf5e967b7f6e2e416a8dc0ceabb4d15aef51e166db4038140b946e8441931fe779eda9ddfa74086906b0f30b3436024b5d94fd389ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
66783c5cd7373829426f2791abbc2da1

SHA1
83f2945f6702b0c5a63d1318b3aeccfc5c83a2e7

SHA256
37178f35c78d588227d62788718f08dd4a48b87f86570bbc7669928ad5db0642

SHA512
f597f8ed5427657af6372a3008e9863172f176b1119e1778a1855ec84cfa3c908491f5e00382433b01af7587b1f1f9ce0b9e6618aa5940a9d3e22d6c2cf46ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
339d726c098819343bb61e41869f5fd0

SHA1
f5dfe5d3a4fdd1d903a8858febc09677c8770313

SHA256
e8b9eca2064b6d07a7f2883803295a79da651251300da96c9988a51f78b14f73

SHA512
af71c99ff012ae6d43ea4d379f56d58cf3a3747d19200b402aca894e1630376a26ddbfb1b446dc8d9a57539c94e5acdfc43b3e5f68e5916a86da49f37b8bd60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4a9862c5e4b9898157b3f8bb4c4a68d5

SHA1
adff6193b7f8d660a7271758aa3b99eb10728995

SHA256
e9beaac7036bbc662c39f883cf04946ee25fb4693ebc2ac8e5d924d7bad573c2

SHA512
1c60951693b7476431ef7d835cd6bb9be91613d7cee715f6752ca0371a80a2e30d8662dc6eeed12714af6b1310fa312ae93a0cf5097654b061fff3e7c5e2ab76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
aae2b7c92adc941f302a0088339d0305

SHA1
bbdde78b27987290766623fccd031160566210e6

SHA256
97c31c91b00d7722aa75a4bd6fd36ebf66e0fa8c69afa6660e655291093c373a

SHA512
83ee0da838f7a21a42dfcbc59055e1dcc78ede3158b45a42ad9c867294d093f69c3300d02714af38c00573a5227e6f2b63a375142b6d91c52fa84aa9cb320bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b1048ce5888dcd4d2c656392c02982fc

SHA1
585d6a320258b67105f221054afa40c083c9a94f

SHA256
5e61ff6c99486fe4f4701a2aa9de990c0cbea1de4292cd2daf5c782ad09a6ce7

SHA512
de7caf9086361c154c142424f99d5ec476d9cb3c86186e55756d53df6a2779a360fcbcc57e25d7db94b0722da8038c208a4cc97027d2b5a857c19d8d125a47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3fc035f4f60c58226cd50294654b320e

SHA1
cc0bca0e518b13caec3a0ae289f03eaf2161df3a

SHA256
5c01188e25f9bf4018467b5489bfdb8d947443bc15670aec939a232fc4bf1f67

SHA512
2e72eef2e6d10c93ff505188970073f0b1f787d0abe2944954a9aa9a6c9d5e181779e66e5815505f35d9de946dfbdf2e6a08e97c125055636aef63239570d882

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
31935235cd94bf2f2c2aa912284edd21

SHA1
d8406ae794a210b2f3eef45e873a6f125f15fdfe

SHA256
618efe04519b24db0b870738311d10cc3e7fff2db3719bc9ca1bf6bc04e79af1

SHA512
e771b349eb5aba2b0b9e38be60c3fb72ed1a83b2414383add626bae3e8ef4286d60bc7b5187c541b843c386da8623488e8cfc4f7b5cf5b55927b4942c72b9a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8a257f75f8e9ba6f963f0ad2bd0dfd80

SHA1
0111c5b93ce2043e3936675be0ff5b651906dbf5

SHA256
b3b471e5d5e33a6e72294b6926374d7bb827cf97e706d8d7094a8603c308af44

SHA512
2553472f31622d8b3fe45e942bf6bd0ee84cfbb1657db3874bf0ccdf1549ad6ed0fe0404706b3bdf2f18e66e5f6ab5c2e3eb66d7fb46809b6b11a7540a30b28e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3dfc3c88a7dcd1d5a5179153b9df91ad

SHA1
b037cc7e8fc16d2bcd91d7c88fe7c681a2e6fb30

SHA256
136253aca209f423acf7846385c1aa0148caeee19857c60e2cb196042ea8ad09

SHA512
c102b603451fa7afe2dbb9b07d05a984a18d91dcbb3313fe337cd9bcf37083f1389a70db26eb9a6858ad587c72fa8859578170d71272902a9ab12a7d6a636700

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4ec406a70067ae246734b53278dd3afa

SHA1
3d4e9b29f4fa0cc9e8b94633358e719f4e7a872c

SHA256
5ea8adb1c743822673aee366ae0215405d9ad425a395c7c6a2e9d2f6a5276e81

SHA512
1846f99558bad1daeebdc2038146a778fec807c9186ec9f6e8a7a708c833bb6b7a48d7a07d153adde14e45dc206926eaf55b8a5a4ef3a8d944c1c9f0eb60b8eb

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
290KB

MD5
61df91d6efac0cf943c75edfa776c511

SHA1
31901dfb5dacb7a86930ade676e78faba1ec22ed

SHA256
e8a44bf1bba48ff7c5e7d43fa015c5b08d701adb26f766d9fefa4716097a4724

SHA512
bae524223a253661e68a63dbb2292264e18088fbc126a22b59918a262b96484addd4e7b7a0ac46931cdfbe2a47e90c2797937effca3e8c3f6fb83215060a284c

Download Submit
memory/444-7-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/444-68-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/444-66-0x0000000003F30000-0x0000000003F31000-memory.dmp

Filesize
4KB

Download
memory/444-8-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/444-158-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1680-137-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1680-160-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/3716-6-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3716-63-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3716-3-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads