cybergate | 4e675dc623035d1299f5bf2ecd72fb1aa10904d00f23c4ab136c7317bf14942a

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/01/2025, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Size

575KB
MD5

97921228e2d648d225b4f1ed814bc32b
SHA1

b13f6a7b01eefa960360a2394f69aca8731aa94a
SHA256

4e675dc623035d1299f5bf2ecd72fb1aa10904d00f23c4ab136c7317bf14942a
SHA512

9b43fb2232cfd1919cf80e91f3a25f27c94f2aadc8627854981dd3f9d46a651ea6528ee98c183ffaa7fd751ae36aed6126fafb7609cfd6b436adaa551c0df681
SSDEEP

12288:tB86bWoRWbXJz7LA9FLLdrlGLE0kuGnESB3:I6bWlNz/AT9rEMtnESh

Score

10^/10

cybergate fcuked-u discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

Fcuked-U

owned.icm-bot.com:2020

Mutex

M43IIL0K723SE6

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WindowsServices
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
ma1lc0
regkey_hkcu
WindowsServices

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Services = "C:\\Program Files (x86)\\WindowsServices\\svchost.exe"	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Services = "C:\\Program Files (x86)\\WindowsServices\\svchost.exe"	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0J2CI178-6VV2-0HY7-IWNV-N5F0E2F6D384}	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0J2CI178-6VV2-0HY7-IWNV-N5F0E2F6D384}\StubPath = "C:\\Program Files (x86)\\WindowsServices\\svchost.exe Restart"	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0J2CI178-6VV2-0HY7-IWNV-N5F0E2F6D384}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0J2CI178-6VV2-0HY7-IWNV-N5F0E2F6D384}\StubPath = "C:\\Program Files (x86)\\WindowsServices\\svchost.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2004	svchost.exe
1884	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
824	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
824	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
2004	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsServices = "C:\\Program Files (x86)\\WindowsServices\\svchost.exe"	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 2692	2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	31
PID 2004 set thread context of 1884	2004	svchost.exe	36

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1784-567-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/1784-944-0x0000000010480000-0x00000000104E1000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsServices\svchost.exe	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
File opened for modification	C:\Program Files (x86)\WindowsServices\svchost.exe	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
824	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Token: SeDebugPrivilege	824	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
2004	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2692	2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	31
PID 2084 wrote to memory of 2692	2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	31
PID 2084 wrote to memory of 2692	2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	31
PID 2084 wrote to memory of 2692	2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	31
PID 2084 wrote to memory of 2692	2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	31
PID 2084 wrote to memory of 2692	2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	31
PID 2084 wrote to memory of 2692	2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	31
PID 2084 wrote to memory of 2692	2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	31
PID 2084 wrote to memory of 2692	2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	31
PID 2084 wrote to memory of 2692	2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	31
PID 2084 wrote to memory of 2692	2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	31
PID 2084 wrote to memory of 2692	2084	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	31
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20
PID 2692 wrote to memory of 1120	2692	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1120
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97921228e2d648d225b4f1ed814bc32b
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:1784
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:824
    - - C:\Program Files (x86)\WindowsServices\svchost.exe
        
        "C:\Program Files (x86)\WindowsServices\svchost.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2004
      - C:\Program Files (x86)\WindowsServices\svchost.exe
        
        "C:\Program Files (x86)\WindowsServices\svchost"
        6⤵
        Executes dropped EXE
        
        PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsServices\svchost.exe

Filesize
575KB

MD5
97921228e2d648d225b4f1ed814bc32b

SHA1
b13f6a7b01eefa960360a2394f69aca8731aa94a

SHA256
4e675dc623035d1299f5bf2ecd72fb1aa10904d00f23c4ab136c7317bf14942a

SHA512
9b43fb2232cfd1919cf80e91f3a25f27c94f2aadc8627854981dd3f9d46a651ea6528ee98c183ffaa7fd751ae36aed6126fafb7609cfd6b436adaa551c0df681

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
23762fdee142a2c54d1e5dd9309103dc

SHA1
ca0e795cc38e62c209d563d4b846c50d643daac6

SHA256
0d0f3e12191e8f02ea6dad930845511fc32e57b9bed282aa3ad7131ff26aaa03

SHA512
688b8ecb999f1a8505cd8e73fe008fcb460dd785e91abb09551505f896af4ded26e51fd11bf8c905ce859eb294ea8ed26419ee481bcb9b6d3b1d608131d8c14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
82f8f2e6d30873ca942c96e49a9fefe0

SHA1
bba2c663b06291006a6db22344ae60b9378c7994

SHA256
01d1761ed026f1b3c97fdeb69466d5c5db06387120eb04c10ccd81ff45871096

SHA512
91b78bbe8250417d15a53568820132a1d79d1eadfd395ab701c60b6d7234cb89f7a06c37dce6f557e5682198859c28340e0e3d5ab002b8b358d153b47eb2ef04

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ef788c8f216e03856176525788f8ff0f

SHA1
60c2774357a51470d1bf2473cfd4d544b7348b96

SHA256
3e518f733c40d9ffb37bf0993f98cd3688a3d946f528c58cbe82a29ac2c79321

SHA512
78915c29042cb1eeb517f3a2a6ed9c0485b8c802083945bd0f996534b1e390cb77e4106ffda3502043536f0d0e6fddebe341c71fee4a9ebaa83e8475d3700393

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f0f4abf03cae272ae6b7f71dc19ae228

SHA1
955b3e1c1b04c298b21271a8bbb654259a3b7742

SHA256
0872449a22c0d8deddf229797cba8e3cf20fc77464a2ae71de52bcd8711306f8

SHA512
e4d6d5b4b1d1f2bcd1358521a46ae26dff7638ded2732214ce1bb9cea4241f142ea688d1b90d36cfc82bdcab8f77efcac015d7b4cfe725b39001fe29a96eb5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cca57e833305dc0f6e88451066c541a6

SHA1
f14affcad6142fc7d1b9ee0c20e6588843eade9f

SHA256
81e477f334e088f8c6b0eef7b79350296bf727d4b35b53263511dd505d2b787e

SHA512
957a7d0236b3c8f06bc5406615e950622cac0317978ac4419d56fe6574f81d9dfde31a0d8b3d119a4a9aabcb2f471e3881ed9ba9b2bb596adb2922e96038dbe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3370dfee093bc331903cc04ae8e307b9

SHA1
ceb26abc81bb34301e0b470c77bd5cb03492e501

SHA256
a406c056a55382638b6e9665462b1d4484cd687b7993b5bda7f5202b9898dd63

SHA512
69b5da7f4f81feec196fb10bb21cbb1ebd02f2b13f5538cc1a5b35a545f304e9af2820ec6eb8128d4208716bcf4c8511ff91329fc62c73e80df59510f689bdfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
758afdf54258d6d04caa59ff3c1d954e

SHA1
25c6250ccfd68c77e8193a726b2125dc54ce9f67

SHA256
1b0f434241ab0ec9c10a3628498a534a024b8e21d0faca7aec44352cafe2d21c

SHA512
53d0c63e2777d38155a29a87beccdbd1e31e5a8381ef7052f9029e9401b59a9549a7cd6d2e38679dd3f1f126d1149d9c028b0d3d74707ebff0907ca174a4427a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5a03e9592fa99c8d7fd2d2af7cd0df20

SHA1
9daf3a7f06152fabb68c5cbb0ad384642ed17cdc

SHA256
52897097f4e8d95adba562668a6447850398bdb0ae5bd0e9de66f98ce4fcdfdd

SHA512
89cade9d90f3449799267502432fbf624da6e31af5dc4b3a4162f649dfc6d62acf5789e6c9f7bf07f8965942aa034f24418a1af9f8b07168e8368de92f70095f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5b3e9c6c10f7281b42d693dc2640dc9f

SHA1
8df39997a7110e88ae2dd23aacb19a40722972a5

SHA256
ea2b2bc66f9ea3d789fa67a4671b2ddf43f2e7c6a242a071bea37beaed548589

SHA512
4fcad59dc09e253afec9c1dc8674e05f898ad9a3ec1ec971ea15b3606877b19d9734699edfc242a87e44f15f37998d793568d3d8a7b17a62062f57a3688e4b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8acd274541f31cb35c9fab0ceb47e050

SHA1
3d36b8bd67d0e2525bdcdbf35bc44636f995c130

SHA256
bbc8e65caca59fbc3bd8b40a6db0bd5a6c4159cfe5106cd37fa112f99aa50981

SHA512
013978924e6dbb9f65fe14b29b146ff528212286de55dada4c93b7b672ef0950e5f2812f0d444f3ac4f6748c3e2589be07bbfb0cb1bd82c7ed56a4a229894551

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
80de4ac0b78e714382efa773d076e31f

SHA1
e74c1d4f843431f77811473aea4ee7812c5c95d2

SHA256
c3a2fbe444752793b402de81e26b019e953d17c553f5b426379de8eeee99b8d0

SHA512
a0a3e6be8b48f612d186a290915b03716c9442e48e4d67fcd50737424e53b701cf092cd1e152567db43c37dbf73abd9631fba55c9795e9d5cc4256ad0e56529c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f167f6b5fc1ec62d7c663a3dd1c8a49e

SHA1
c54bbde323db0c8b5b2870d650675a5974e55381

SHA256
8b109b7d801b21ae3cba2c4d01ad30fe44282c99643a4350e55e5be806bc2655

SHA512
c0dab85b4332b28fdf8f181c697dc590b570fc1ee0329021d54283c64b8e42aee981a587d0d6e447883fff42f2e8c9d93a66d30b15afeff631f2af1d7c046900

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b35ee2bf674994be3d6cee440896dd12

SHA1
30ff647c96bc33e7c4d13f80d3be24ee58ae5237

SHA256
9a4b069911901ad94cc8cff0757ec6cb7acfeac7e5b899e3b77d2ba9c3e08ae6

SHA512
a6a0102e09fbaebe16541dfb8c3846739fb7cfa973b6757b1cdb1c1c36a0985283ddd5fea1269bf3f037e03555d2e43539173f319ae6fee8195b2691c5d5ae09

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3af15cccb1ff53a79751843fcba737cc

SHA1
9215e89e70227c86e9132acf77e553e185387b22

SHA256
63b728a0be89612622865a52838ae15eb76808e1dc07a90c1b5a578d81b7b12d

SHA512
6a3750bfee6c67c2261c2fffba5ae01aa11b2ef5ba84a7636a6f9aa6ece81029af2abd22e39e7a2032f419945214955556f4a992ab25fbc4368833278e0cf2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
315e37826e431bec38376b6316f6f9a1

SHA1
f166ce1e257bc610c70b42443889acd9f43df8af

SHA256
bbd88547a13003734671834e17c12fdab4778e6d3afb4ef4d4c9c3453ec5da22

SHA512
8de7a1ed8636d72697f15de95c255dd68273c19993540a954b752490cd39db4d66383b9863ffadeb0256ef93d96db1f267140ef9d5c34c1bc549584a258b715d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
906ae2b1bbf05f333e46e2fea18b7d38

SHA1
7f417529a8d440840a7e60538aa65109161af68a

SHA256
9d940fc20cb9b269be18e39637124a7549f3d6ee5cd53e0f99a4c914057297fb

SHA512
a78e94e7b13da4cc5c369d3f63e874aa0174799e40106c342933ee4a78bfe68e11b3966588823fbe319fc16e37eb1b26a5bd0c16c0dc3b04ceab7c51d866d9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ff5465d5f2f410785dcdf6f87dd84eac

SHA1
0fd183a3dce178b083f66f840343a832ced32933

SHA256
a170007fe3846165362fbaf736119758b3d1de57a7e0c10693c39a3befa34288

SHA512
0993d9e681e5009a37d7322287907ce237cca37229779d15f4fc34bd75ba5e997cfa3beb7e583875053e018a3f2aefe427986fe72466e2ac5d07efee565bee3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
439c791410d3f3fe62fa77f5392d0f0b

SHA1
1a49a72c180c7d7ec4b105ff8f641701e5316fc8

SHA256
71e7abfbe6d67301c84e5566ee3cf2d86debb09a9a78b4ce2c62ddc01fe32335

SHA512
a9f153df40cc922756d736ad6dca6ed7c613358317121d998e663941521498130be16c9d69ba772cbe01daee748943a0487ddc36cf8b6fce85a84ecd4c5017ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
951b8276089473737f49ed81eb3e2580

SHA1
51ae80b834ebcc7316cd3f8afe7264cc12229514

SHA256
a3e075ba54beff2f641529444592aa847c274746bee049242e78e86dfe75237f

SHA512
b725e249bfb017513313336d1999168907db5b24af27154092e4c71a764a2114ad66ea8641881227641784bc57162594e1e31607332ed1dc5b8dc24fafb51589

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f6ec7297004633eac0d76b744c9c8e87

SHA1
795f972bd7cdf61a1e3f14688ccd61b82f498e64

SHA256
fb740fa07872965bdb519cc65b5379e9e3c2f881c33dfd152b852351ae7b97e7

SHA512
903247d6b743b8e437bb2ab542a64cb7a9e0eeb87683c5ef02f38715ec83004281810596ebe899fddf9f34763e2e28e79fa97ddf4e9ff3c75f66cdb4b1ed9de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0a0f4be3c4ddf97c01b0c70b44d0c47d

SHA1
ecadc2155e9a5fc82f18e181211fb82a3b6a0947

SHA256
abc630867d6fbe01c88d2639d938d06b045041a17cb0623b5c877012a886eb32

SHA512
5be30bd75c090906dd73428091900291ed2d38fc929443cc4df2e1dcbc341d35b67c547b68a742a0979f20550c82bfea9a3f2f4637d81a6403eba55ba3a6e392

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
887b83f71f27f7d1851feb52a0131ab3

SHA1
170d86a41d6d2aaa158fc43c5c0c29d5fc6f3945

SHA256
e0c9c368c0fd6494402245721d6b4b89df6636813268c4067e6d3b2373751104

SHA512
b62e675eeb86e3673116a7449667be525eba1869e8a0a2425df1cf075fc7d6d782a823541e22e43cd996c9651f75bb26395710277436b78962429b204e8d15e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2dd84c40f70cb9eadc6fcc99d194aab2

SHA1
df9690fd02702adfcbf5d881d385ad42e5777004

SHA256
9dde291054aee616185ff761a5f2dfaad12f3e63e598cc5b3d26098b7e1bbbc1

SHA512
a6632f6cab012be87b97d85389f8b34f4b5fe35d95065d6bb47168e60e64083e7e8a3ec2ca543badbc4431058e01d8a6e20175c5791872e39a0409982dd038e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
995d6f55ce1a8878e9979ec10690a29a

SHA1
418fddbc89310493620693b6b3f32a4f215d40a8

SHA256
22d1ff56292a8b5086d1e6de976f129bcadc74b9b116dd0efb6d94bf1eda3582

SHA512
a8e925811af0568cb3c6b281110d948e957665f3d4f019ded7aca4e5bebf54a2846217ed9c42efa377b1cf2d943eb2557816b190bca3feeea0ec211bc9248cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
400bbdde33785836f76c3a8c6ee6f571

SHA1
99dc3178143d4a76a58f0dc1153ae63f081147fd

SHA256
27abfd8046c2acff6cf00b4e309cd2a271500088bb65a3f82930547729cedd37

SHA512
ad11527f0a3664b709c09b27ab823fea4e8a369864dc8aedb5dfe243e700fbaf22945595f44f7ec046eaa99c40736ce742c52bb72dcdb9a55d6db7da7e6fbc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
87d0fc6e0b84fd5b960d4d34f9bd21cd

SHA1
17a57de4cdaa8eaa29ec75da706439ec3eb9b2b7

SHA256
31fc7c1a1e1e94e7d8fcc2ee04fbeca46aa40991444cf05654db3397d61e62fd

SHA512
6ac818eba5b71eaab1c1b1b1a748c37ddde9c016a3f8a188fbe825509096179f8f086c7a79c48ee6712d6999b3133a0a3970c3e3563722ceb47302639fdcfc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
59f16e3ad4f3039c9a4e4f65c7375b46

SHA1
6b7f9f47a89fd0c18f43ef60f00fc54ca95ddb4a

SHA256
e7e52c73e793fa48d363f543152d8f47f220ab4abb070220bdcd196150b3eb6f

SHA512
298efb3ee0097d5462d74cfb6db456c975189ee7bd011611caad33cd06806f48d937798665ffdf1a43ff8aba44ec1d0999813164c72f011a5b6a7ccc3938684a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
93c3e3d3c4f82773a1f91f521cb8d458

SHA1
a5722a75923665845555ed296cebe55a4c045fe9

SHA256
033cd38de655b8820ce192b92c45644294727b6ac5303121b78e79706c41a419

SHA512
dd8759b84c55d5b5448a1c13631d4b840b780e8243454c68f45525b2c8d7051d9a555376b960f86ab24c90bc169a2b0e35703ba0b61db9c37eb980f7f7ee013b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5eb4a42754c127b33794f90ed3c138ea

SHA1
8965160cf1e6db7424d97b53d888fc65374bada6

SHA256
bf99b14682e7905ded60767d227fdd7b730290d40437d2be78c554e789799ff9

SHA512
e19f15a484aa82a16814bcd1a32ce071d2b280678090e080aedfbd793223b8a9b9d192a9ed6c77037d1f2ed8fe55a52ce7dc1a75d0513278875c3089072b3b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bff36bff2a85253024db4ef9ebaf9567

SHA1
bffcc79418a35edfa88c6a9503349acf3777bb95

SHA256
b63b3b46990aeb24baa38f0a011a213127670d015423e303d9341dc520ddc6ce

SHA512
9b833745f302e8190f6b8637be48c84a5acf65ecf0b578b75fa627322006c6c4afdc00d17f32816e2dcd334db1095585c95bc7944aec361beb85620de0bbc962

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
79861e848dfba43a8e532b5712c5e6b5

SHA1
7eb9cc586b5f44cc52f2edbe5023f9e35c6235a9

SHA256
d75ac2127685485a456a3ad8fd1b0a7374b46662f1b5b81c7bdd6eda046efeb8

SHA512
cef7bdf8f4fc5754deeb169f779df513efb4d0822ff398ad09dd223170b8371fc1073488dd2e961792d81cd43807fe762e0c875b15d6f665ff9e4bbf42e74163

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0d9d69997db0025b663b495f4d384305

SHA1
06cccbb4f1c26a9d81ab467228cd658354a3e994

SHA256
fe442b1c5735383bdbcfd02a76841efed9cf5853479ec4f7369f5a7eb49cbfb4

SHA512
5f077459051eed1b33fb5a4329c8ebb30be70b129b6daa6fe888f0d73a61e52f5528274209d4891c71a3304d3a712b2f3c5b1ff899f5f78cb36062aef009dc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f5e57d01653a2d864a3ef836665a8c89

SHA1
763ba4e0da833f1285756893e93c693ba8d48a05

SHA256
b1a7c954bf0b6f0d5c199bbfa1ad0c72bfc01e996322eddb7d6bf7c19289d533

SHA512
18ffba01d547bb9f4e44c15e79d32817b1d60796a223cfd79fab395d2773d0f1abbd18ab2d3e91012ca175952fc5543e201e2ef26ae5abf070d6b589a2ca1d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bddfe075065e2e0b008aa48ccd13eed2

SHA1
bcbf89a46d9d8b3a114e1d087f84efbc5b7fa844

SHA256
e28a1f7d4241312de7394d9becdce7ddf1bc1daa69e3cc615ae94c6af3526414

SHA512
636eb100bb264a693a06644f6d4a47b571810e0a628a309cbb3d1a7ff230310ec5dad050092b738030654dd876ab7f932ad8f60c380cf5bb1a017c41b84d35ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2153f647d9d987b95abd6862458abfb6

SHA1
3b880c61e901a82a6cfe5e12c8cbe47b78608f55

SHA256
911a96813b9482551a1e0af13cf40794d535e444599fc02ecc0d4b3af2fe839a

SHA512
1c919f267368914319409e55fd5541190d53a171e28a028103014388170866664f395722139ab5e61d5002f84d366bb93b73b5f459797dc85f8b92e6d97f2bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cd4445f4fb0ad94c555c1027147e6038

SHA1
a20a4adb8f306bbd19c6b772024a400134792eff

SHA256
3d397ab84a6e60ffc0588b78116c5ed1206bd52ab3af99a5488cbe4662d478c8

SHA512
f56730b1b4d8482a800f2bf6bb5a8e165d629bd93cffd41a9701e3e744888cffe2a317b9a265a6b0dcf2e7c9a8426327f36c1314725479db9e45460a1174454a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
026e85d4f994f0606e882c51d1480e71

SHA1
e3c0a359e9c343dfc85fdfe23dac1ea20d1ec9ed

SHA256
3c5c62fbbeaebe8fc7f0a2f7fbdb1526c2e009bda1ae81dbf58ff969fd9dd800

SHA512
fde886485cacf90d86e027531395ab92fcbe82ad9884020282a19afaaccaecc2281a35f3fb070e3abe58b25fcaf3d72592d8b2deef088fd19812944f2a7ce3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
273bef653b7593aaa7f10ed5c0f9f94e

SHA1
bc6089c2149267f14e4732fd7454a4c906d3e477

SHA256
7ccef9632a1c4dbc0c1bc8a3d75111afa9f4a93e38036439fbfe87330a0abcb6

SHA512
e890b57e58181c1111a71692069d3aab07e718ac230bb744d67f8d723af4ec984e07d2754151c839468de83df069c7e0af1352241eafefaf7b3c34ccd6ba4539

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8ca0cef374c5fd5f38a21f2499796064

SHA1
3b0b1859b158e364f36e253f730cc98d2532abca

SHA256
7163380b26b2210bedf64c9228058e46727213a607901b7189e0187aa68187eb

SHA512
c62a1f76ba4656dc308a3a5c2fb9cb09366a48b61a2bb96f16c0cce69309d6d2c0f28d0d7fda0a50f818801ba81a65d5f9de6aeebb2e4a7fa9a8a41f5a8de5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bd063170c49b61ab7377fd41c8d44cf1

SHA1
4911436688ee5eafda594ece958ace0fbd22f42b

SHA256
13d504856927d50fc4d94b8619af493182f1718e8402e236b58ba19f63236234

SHA512
f1fae18b95c76397cc86a66b2c5ca1d915faed6a35bc207f2c1a949cc8873cebe4f06aeabd7fee70af59ac7dd6b09074447b7f9acf5bd066bde11154240dcb2b

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/1120-25-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1784-944-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1784-270-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1784-276-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1784-567-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/2692-21-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2692-9-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2692-19-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2692-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2692-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2692-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2692-11-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2692-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2692-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2692-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2692-20-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2692-368-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2692-899-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads