cybergate | 3f8870b2acc3e181331384978ad9b2896d70f31d6e94b6149a2ad91853360f11

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2025, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe
Size

500KB
MD5

7b60e1885038ef24aba8fcbea7770425
SHA1

14bad7d79c8cf6def11a178f4efbedaa0f8a7f60
SHA256

3f8870b2acc3e181331384978ad9b2896d70f31d6e94b6149a2ad91853360f11
SHA512

6f6060a2867af9021e84d249daa32be50139398dbcf19d37f5e43b6115ff0771c464b7680f340284c0d7f1514ade423e9b993bd406ac73b1b2f49e287eefa0ee
SSDEEP

12288:3xexIc4ZzqNFpDo6eTtPPbQ0iVuAqpc1pZMrlwXq3Mi:MxZHNFpDo7tPEMAUc1pZSwD

Score

10^/10

cybergate [email protected]discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

[email protected]

lstreeet.no-ip.biz:15963

Mutex

OAKTI06NWO4PTL

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
winlogone.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
whore1
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	real.exe

Executes dropped EXE 4 IoCs

pid	Process
2452	real.exe
640	real.exe
836	real.exe
2548	real.exe

Loads dropped DLL 1 IoCs

pid	Process
3912	real.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key Name real = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName@OFF@\\real.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 1004	2440	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	102
PID 2452 set thread context of 640	2452	real.exe	109
PID 2452 set thread context of 836	2452	real.exe	110

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2440-0-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/2440-5-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/1004-15-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1004-17-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1004-21-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2440-20-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/files/0x0002000000021ee0-37.dat	upx
behavioral2/memory/2452-45-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/2452-48-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/2452-49-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/1004-50-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2452-66-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/2452-75-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/1004-79-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/836-84-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/836-88-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/640-170-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3912-175-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/2548-184-0x0000000000400000-0x0000000000580000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	real.exe
Token: SeBackupPrivilege	3912	real.exe
Token: SeRestorePrivilege	3912	real.exe
Token: SeDebugPrivilege	3912	real.exe
Token: SeDebugPrivilege	3912	real.exe
Token: SeDebugPrivilege	640	real.exe
Token: SeDebugPrivilege	640	real.exe
Token: SeDebugPrivilege	640	real.exe
Token: SeDebugPrivilege	640	real.exe
Token: SeDebugPrivilege	640	real.exe
Token: SeDebugPrivilege	640	real.exe
Token: SeDebugPrivilege	640	real.exe
Token: SeDebugPrivilege	640	real.exe
Token: SeDebugPrivilege	640	real.exe
Token: SeDebugPrivilege	640	real.exe
Token: SeDebugPrivilege	640	real.exe
Token: SeDebugPrivilege	640	real.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2440	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe
1004	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe
2452	real.exe
640	real.exe
2548	real.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1004	2440	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	102
PID 2440 wrote to memory of 1004	2440	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	102
PID 2440 wrote to memory of 1004	2440	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	102
PID 2440 wrote to memory of 1004	2440	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	102
PID 2440 wrote to memory of 1004	2440	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	102
PID 2440 wrote to memory of 1004	2440	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	102
PID 2440 wrote to memory of 1004	2440	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	102
PID 2440 wrote to memory of 1004	2440	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	102
PID 1004 wrote to memory of 3736	1004	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	103
PID 1004 wrote to memory of 3736	1004	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	103
PID 1004 wrote to memory of 3736	1004	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	103
PID 3736 wrote to memory of 4628	3736	cmd.exe	107
PID 3736 wrote to memory of 4628	3736	cmd.exe	107
PID 3736 wrote to memory of 4628	3736	cmd.exe	107
PID 1004 wrote to memory of 2452	1004	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	108
PID 1004 wrote to memory of 2452	1004	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	108
PID 1004 wrote to memory of 2452	1004	JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe	108
PID 2452 wrote to memory of 640	2452	real.exe	109
PID 2452 wrote to memory of 640	2452	real.exe	109
PID 2452 wrote to memory of 640	2452	real.exe	109
PID 2452 wrote to memory of 640	2452	real.exe	109
PID 2452 wrote to memory of 640	2452	real.exe	109
PID 2452 wrote to memory of 640	2452	real.exe	109
PID 2452 wrote to memory of 640	2452	real.exe	109
PID 2452 wrote to memory of 640	2452	real.exe	109
PID 2452 wrote to memory of 836	2452	real.exe	110
PID 2452 wrote to memory of 836	2452	real.exe	110
PID 2452 wrote to memory of 836	2452	real.exe	110
PID 2452 wrote to memory of 836	2452	real.exe	110
PID 2452 wrote to memory of 836	2452	real.exe	110
PID 2452 wrote to memory of 836	2452	real.exe	110
PID 2452 wrote to memory of 836	2452	real.exe	110
PID 2452 wrote to memory of 836	2452	real.exe	110
PID 2452 wrote to memory of 836	2452	real.exe	110
PID 2452 wrote to memory of 836	2452	real.exe	110
PID 2452 wrote to memory of 836	2452	real.exe	110
PID 2452 wrote to memory of 836	2452	real.exe	110
PID 2452 wrote to memory of 836	2452	real.exe	110
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111
PID 836 wrote to memory of 1312	836	real.exe	111

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b60e1885038ef24aba8fcbea7770425.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOTQE.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Key Name real" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4628
- - C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe
    "C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe
      "C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:640
  - - C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe
      "C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:836
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1312
    - - C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe
        
        "C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe"
        5⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
      - C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe
        
        "C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
7f198c345ee51464a78fdce6345155bf

SHA1
790df04136ae8251c5f719f93fd0f0411daeba01

SHA256
b47ee1e4198cb7864f59b8e56a0c3586ab1fc407ebd870d24e1bf7b6d9f3061f

SHA512
854356180d58715b3327b953242bac94d0b5be0aabc29f9aa321ff204c822bd84f8a87999b3e932f9f45899fa6378e2b5633e80715e329f73f1d9362c9978547

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
04dfeee3d2a45cbda90b4d6ab645968d

SHA1
b689555481a5f25bad5a4e5c08edcf6ecbe71590

SHA256
969188fee131164184e9643b8244c42b25d0fccbcce770f356943bbf64f0c143

SHA512
ce6d349b2232e3fee5aef55cc7c06e2e5139ffeff9ffdc98b911b98ffe456b16c5111bf7e510d31a111d26f230e36bb3d42e56775c1b8321038f4e0afe2de2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e58f6e61c1b9c29e940ab2157d912381

SHA1
7267e3fd575ba3905dd4b1745ef5c45e2aca6a54

SHA256
323eaf173b3d7120bb7b5f1e9efabead1378abb8d1d10e7e0aaaa7fe146aeaa4

SHA512
980c936bbea6266ebe9f86092d1e4800e06c0a7b0c20e2da1ee289385ee25d461ca273a460d83d58966537eb5fa02c70ac65891e792c2e37a5f6560b92cfbee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
423162415d68374a920ef22184c6c540

SHA1
d6aabe49f6b35804edffe4296d1a79acdc9a8af8

SHA256
9c1c00666983dc26750223cfc6e0f595490ed00be205df32efbeaf26440801bf

SHA512
201a787786dd6e196a9023514021aab9a1102a1cf97e6049afd0c71a9c7c46534dec471c5d7054124df2368c66abe7c7f1afa8dec51d103ec01caf2daa593dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
50c59f1ab05a0178c2dc1527b6bad4b6

SHA1
3f71bded6f6f37680cc580c9a9db543657818df7

SHA256
01193cb28dc29ec9aa3fc8e8fdbdeed37ac03481e7535b8d39fe6ade29aec59f

SHA512
0b1f91551675a827e20a2454cbdce56a8fac1925b80f82862caf4fcbf18d981e7abf1a4517ed9083d837a020906dd8967d63fda89597cc37b9761af028f4be28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b66ec44b6edf1bbdeeaa9ba8f0da9184

SHA1
9e03c5c41518628e69236c54cb3e8fb117fbf1c0

SHA256
7254aa25323e353e6cc5a9f8c94c7a5f429b863ce849f235cb7d2c58f9358ad2

SHA512
b5928eee376496cf3cacb7ea6097c01d4f11d22c90f143d39309168fe947d2978e8940ece0fae811b95b4de06755dfc0e4878b945f0e202f67f9fb5d432d9469

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c3d6a567fb4bcb5c493ce53d7d44cca1

SHA1
fa3f1d9ea6f58c143a42108dea4c2cf49be7a3ed

SHA256
571ad5055319dd8f523a9ec382220a3f82c919fa455570957cb10a6288b9e2e2

SHA512
92b49ba926b3fe01f7ad0a54e3c679a0944bb4932c412bc92af8edb0be8a7d2459e6b2d1299eb238e05bee6d9d4d11ec7188f0506d19b344110287838a1c5c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
da0bdb1b946be313bfa279f4d97b5cd5

SHA1
c4cf1ce7206925b99dbff3bcdfc25816d997c33d

SHA256
5689225b2c6e812cb8d3c14d46bb95703da8a0ab8a0e5be0bdd45757e033ec96

SHA512
d3976533c3561c9599811a5f51d228e802e17d6db56310fa9d04e2855b75fbd2081cfc82d59ff71ae9caca3558278509c9766b21888051d621f1ab196ad4c32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ab56269ce5710e1edf4fa1b83078e4b9

SHA1
fb94e88c3bb3ffbce4d22799c5336c05c3b8735d

SHA256
00454df95574bc8c5a647d28ba5cebf8abacb8c5aba6f0231548a64e0afe7b7d

SHA512
723aa24c028ffdec1cc814dd23342ba8a833ba9f0a6f7b5111a9cd084a618c963b6cc71234cd9239ee1dcd34e084a85c2ab3b30f3d00d19d1742429501b6e715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e4fdb1bbd6f690d64dc79295dcac1d7b

SHA1
7ec31379a432af5c4778ae2a3569f7ef6bf71436

SHA256
3e906848f6ee743fba51b589d747c28d2ed5c75ed508d4d4b77c072f3196c5a5

SHA512
a4d80cf8ca0e37310d17ffc6eb2a45ca12ef3c231cd3d8ae70a47dfb93e362e684714b114152c8d4530aabc917664a42a7fc7c96c99fcfefa67cfcfc15f9053e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9ddcb53cfc3cc975dbc9be63fd85be7b

SHA1
53a9c6bccde36d3ef103efa640e1415aa7439b86

SHA256
128a0859f6c91e653e2643d2ddb38bc04c3fc9222af8a4d2d23dfc7cd79581dd

SHA512
83d637743eec5e7df6729d9a0d0e3098edd6a93a6b2b70b628f539fe6ab93a705abc7ba64f2c03866fa8db68fca698cd1b5f4020879a5af9100f5642a678492c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin8

Filesize
8B

MD5
57ea05eae3d58eeefec9518c118f46cf

SHA1
a1096a504bca49c3e0af4f4d4e8815654a1a33fe

SHA256
012aaf885b52f4ab68055e44006dc9b6d320e5bc50c800552669812f17998cd5

SHA512
387159de2fd8ddac2fb4300b900cd0a4b66de3938f6b9e1ad85226e5ac7c3c166ead7e14595a8a8eec4b1d53a3eff7de6bdc666529284317c68b4f43bbc6813c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOTQE.txt

Filesize
155B

MD5
f8c91c062813c5d40d7dad776438c3cc

SHA1
9db3fbda51c2f872ba693f6be0318b8d842b251c

SHA256
13b5540373c481fc4050c54b397e8569589e4a75737889bdb173c3d98343f7ef

SHA512
2e137f8920143b6a40a3ac9674e371b8e41f575a02b10765d9146ccc69091d6bc525f600304f1239c895e3a784a2c5caaa86270ebf8fe5c0b616d71eda968baf

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe

Filesize
500KB

MD5
46dcc911135d9aabc2dd0329ee02d659

SHA1
ca1a32ca6d85c6dac49789a7556a2589f9c6da09

SHA256
71b4d2a41dc8026c0df9b0986b76cb8865579ee416c97bb1bb65db639d36ed09

SHA512
dc1a9e6808805418bd1b9911087a1965934828fa6375509bb0946e75bac006940c292645f96a04efac3b2b7d1b3bc8a78f4c14fdca1ac33cd5776e9c650f8e92

Download Submit
memory/640-170-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/836-81-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/836-152-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/836-88-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/836-70-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/836-73-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/836-84-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/836-76-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/836-82-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1004-79-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1004-50-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1004-15-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1004-17-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1004-21-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2440-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2440-3-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2440-7-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2440-13-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2440-5-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2440-0-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2440-4-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/2440-20-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2452-45-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2452-75-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2452-66-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2452-48-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2452-49-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2548-184-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/3912-175-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/3912-90-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/3912-89-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads