cybergate | 4e675dc623035d1299f5bf2ecd72fb1aa10904d00f23c4ab136c7317bf14942a

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/01/2025, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Size

575KB
MD5

97921228e2d648d225b4f1ed814bc32b
SHA1

b13f6a7b01eefa960360a2394f69aca8731aa94a
SHA256

4e675dc623035d1299f5bf2ecd72fb1aa10904d00f23c4ab136c7317bf14942a
SHA512

9b43fb2232cfd1919cf80e91f3a25f27c94f2aadc8627854981dd3f9d46a651ea6528ee98c183ffaa7fd751ae36aed6126fafb7609cfd6b436adaa551c0df681
SSDEEP

12288:tB86bWoRWbXJz7LA9FLLdrlGLE0kuGnESB3:I6bWlNz/AT9rEMtnESh

Score

10^/10

cybergate fcuked-u discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

Fcuked-U

owned.icm-bot.com:2020

Mutex

M43IIL0K723SE6

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WindowsServices
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
ma1lc0
regkey_hkcu
WindowsServices

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Services = "C:\\Program Files (x86)\\WindowsServices\\svchost.exe"	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Services = "C:\\Program Files (x86)\\WindowsServices\\svchost.exe"	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0J2CI178-6VV2-0HY7-IWNV-N5F0E2F6D384}	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0J2CI178-6VV2-0HY7-IWNV-N5F0E2F6D384}\StubPath = "C:\\Program Files (x86)\\WindowsServices\\svchost.exe Restart"	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0J2CI178-6VV2-0HY7-IWNV-N5F0E2F6D384}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0J2CI178-6VV2-0HY7-IWNV-N5F0E2F6D384}\StubPath = "C:\\Program Files (x86)\\WindowsServices\\svchost.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Executes dropped EXE 2 IoCs

pid	Process
4952	svchost.exe
3868	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsServices = "C:\\Program Files (x86)\\WindowsServices\\svchost.exe"	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 4952 set thread context of 3868	4952	svchost.exe	89

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2524-8-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral2/memory/2524-12-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/4300-75-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/3104-147-0x0000000010560000-0x00000000105C1000-memory.dmp	upx
behavioral2/memory/4300-173-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/3104-174-0x0000000010560000-0x00000000105C1000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsServices\svchost.exe	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
File opened for modification	C:\Program Files (x86)\WindowsServices\svchost.exe	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3572	3868	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3104	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3104	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
Token: SeDebugPrivilege	3104	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
4952	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 2148 wrote to memory of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 2148 wrote to memory of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 2148 wrote to memory of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 2148 wrote to memory of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 2148 wrote to memory of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 2148 wrote to memory of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 2148 wrote to memory of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 2148 wrote to memory of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 2148 wrote to memory of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 2148 wrote to memory of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 2148 wrote to memory of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 2148 wrote to memory of 2524	2148	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	83
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56
PID 2524 wrote to memory of 3416	2524	JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97921228e2d648d225b4f1ed814bc32b
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:4300
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97921228e2d648d225b4f1ed814bc32b.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3104
    - - C:\Program Files (x86)\WindowsServices\svchost.exe
        
        "C:\Program Files (x86)\WindowsServices\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4952
      - C:\Program Files (x86)\WindowsServices\svchost.exe
        
        "C:\Program Files (x86)\WindowsServices\svchost"
        6⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 548
        7⤵
        Program crash
        
        PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3868 -ip 3868
1⤵
PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsServices\svchost.exe

Filesize
575KB

MD5
97921228e2d648d225b4f1ed814bc32b

SHA1
b13f6a7b01eefa960360a2394f69aca8731aa94a

SHA256
4e675dc623035d1299f5bf2ecd72fb1aa10904d00f23c4ab136c7317bf14942a

SHA512
9b43fb2232cfd1919cf80e91f3a25f27c94f2aadc8627854981dd3f9d46a651ea6528ee98c183ffaa7fd751ae36aed6126fafb7609cfd6b436adaa551c0df681

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
23762fdee142a2c54d1e5dd9309103dc

SHA1
ca0e795cc38e62c209d563d4b846c50d643daac6

SHA256
0d0f3e12191e8f02ea6dad930845511fc32e57b9bed282aa3ad7131ff26aaa03

SHA512
688b8ecb999f1a8505cd8e73fe008fcb460dd785e91abb09551505f896af4ded26e51fd11bf8c905ce859eb294ea8ed26419ee481bcb9b6d3b1d608131d8c14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e4ac9fd352698e3570d6f495a3862e9c

SHA1
812c74af84bfd8f3b786e61aa4484349dfb30a61

SHA256
a29545b5fe974c788d6478bc2c2e1d8d0da21a543f11f3ef266a82d553430f45

SHA512
38f2d40262e43dbd6e55ba2ee8478d6676a00dff56e30ae32d7738cc7ebef52e2ae3b890b8047df0eafc5a6053584aea787a67795d9c8f95c7d04481fe6aa440

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
528ca47a0cabfa93b6c0e840e7562bca

SHA1
8d70e9cac37d71026b10a0e9895da1ae67ce6856

SHA256
911845e2a5d0abb2fde3555231be12334f4ce4a4c2d33b5857aee40259073f14

SHA512
a9302d0cb498619ed0fb2918aba6be62e76188dc9bcfe33b026390d76d7e0bd2f3b28004ce42c1faec2718c29e934e425aa20326a167fac68346eb9b32577331

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
18052fdf0d1a6f9c3b8c05142bb4dbd5

SHA1
b2cc97832062d6b2a892745da30f6f6c7c216290

SHA256
0f015c1e2ee56ae5e409113966599a670e598b3c5bb31349c68e475d0bd45fa5

SHA512
b18be7dae575db7db6a93f5a3315923fc804cf896f9cf5490dab9175360827deea4b930899d4d76e6d49c7d9715ba2b6926632a7ff384aae519b4e4f5b2f80de

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4d654017c178a1a3a9bbd6f2b561011b

SHA1
7d821d90f604ec07e5145fbfea7395a2da8134a1

SHA256
3faa8cdd21dcb966124f7e8ecd7f093fa1ed741a5290a7d9eaa407cc113b2a69

SHA512
f58851edc65e9a2698968cc1c0e9d19e8c300129df67f52c69e5e836a2934b3a7dc07b3de9443cd457a33f31824210853723abf6e4a0ebd4132fa6d1654d1a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eb020ef4076912d6c8307f10a7d82a6b

SHA1
43df939d0824a0ffa4178ad453562b7ce6374052

SHA256
d7c7472b0c05bda897021296e99585c81d8fb6908b600af4496c56fff18e8064

SHA512
aaaa73388a65615192b20ceddf307ba21bcce139e310ca065aa3605d0f387e7c0ab1ea1141f31acfaa0626cc765019cca968984038cece4a58163d73f4a81666

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
840ba62a2d23b421fcaad641ffc55f1d

SHA1
5a1a78ec956970aedbfa686ddda46dad8851c4bc

SHA256
1a454ab02b7f7d63198a3148e3fc17f1cdc5048a0afe5f05a5ca5310e13f1118

SHA512
6ace0d35965f69cfd9bbdebec361b18b8fefe60a3b64147d7b5d9e8b21ed261eb8d58b5c92146c1be7a2e8609bfc228b6221ef980d535781eeef24d74b1c1dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
63cf4dc781ac65e5bcebb9ee377315d9

SHA1
7cd28bf5a767919ea79c5ab41a6ae16f6d1aafaa

SHA256
6445d448a75e20919d186e4f06f389c398868df43b8fae6fbdd4a45a363914b8

SHA512
66af4f0db5a8a646cb1dbc50e99130f5bcb41c46c5c4f47aa1852750d4b6e3783eab9c0911c03cf8d82064432bede286a7495f67472b1fd33beddb959c4f55e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ce41b4fc832a19122db66ac441cc3286

SHA1
7308c858745117e6df81d379623c11ae4e1bc8c4

SHA256
b5bc4ce01119690f9ad4bb05821477e7538ec5238015fcaf6798e46d0ea086c1

SHA512
e334e6840c2a270b1fbb2fc1db9130b7637adbe46d51cb40cc3d3dae9fe238a174021a1ee567bae4f91d8a3b5828338683913abbe62dc5a7ca26e9ab18b01f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d2bf9d427b48cb26305a6e50a465a7d8

SHA1
1efea849aa730ff65249eedf4f705ed95f460f9a

SHA256
47487b825313d8a12ef10f0343cd38eaff021592639a885e0bcbd0f9bd06dae4

SHA512
02f8e444c18e4924b2eb3f941b5a686384e3a119d12c5889b46c3e6ec1f1c433fd90e5ce70908d50d53bd29141b6e2b06d0c0aa5ba86476384a16b4a7e22af77

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9a588d7511321aa73af9748b5b44ab19

SHA1
59f91c34a080d91545f5830973c267c2b9f1f33e

SHA256
169f9c19bf783ddfa5c36af75f96abd643a29ac750fcca5318b903ed3a26b4b5

SHA512
6cb84f51628ab2ab703e66f443447ccc970003e0327a9f5342676c87879e14b9fca489c146187ea543786c046666dcdd15677b88410b3227c83a62a603a87877

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9606f4255b2071b395391c7c8868286a

SHA1
10282400145aa02b1e5d4fe74621fecfd83feb67

SHA256
3e83b2974eb5e9d66eea266ee4f1a8ba1e04e47ec25068393cb06beb1f876efe

SHA512
438db8e28169f0b3801b2622d0bc897ea99f2f2105782db0921819b01f29a610084de2107277e538d5d3015f302487a61dc68a4d7ee1f812b815ad617216b46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0833216549be53be9ecac72ff2a5a0b0

SHA1
066195396420cf73b015284847aa8d447302da9c

SHA256
4e20e80b8c4aff148d32a60b2c2f272afa3a27e68eedae6d610582a0ca4ded4e

SHA512
6a4f4982b12f497c92c0c6dc656b7c57a1bf918709035a2f02b7e6df16784d476fcd8ec6dd814f1f1f3877773bbaf82b097b0f89ca18551e415b99c4ef4ef4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f75da688ce019780bcdf3ef99708976a

SHA1
d811b05620dd371696e152e0797c1b29716652c3

SHA256
9e151286be588f07c014fc74655fd6ff77a08970136b45aba4a6b9f7a33a8ea4

SHA512
e0b8153da6824cc3d8ee6f5857311dbb73b14706c7d6da4a376bf3f44630d94eaffe3406d805c67495704d5480b2337e2dbb73b52c4910b54fbf6dffccd25057

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9ef347067437cf3fc7b662dafc4d002b

SHA1
a7fb12b766f817c5d06669f6df50b8dfbb4edb86

SHA256
190cf227aabe303109be232e9c643f9cc973712bb90411ffab4f47014fe1504c

SHA512
79de33429198bac3c5aa1f4c8a9c14271b82a65e89351fc2e59d13d1062f3bc2c91b7b4cf0ac9063979ac4f4dcd28e099e7086eb1dc190125ef48853d333957a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2b324ba9073526aff57e29a608b0c2d6

SHA1
06c9bb1355c574075734fd292111b190b3e3b1d8

SHA256
9bad86aa82f438e07a75d9157cb45f5e7dc565493b1e515e9f62082bf950141e

SHA512
6f92918976f7a1d3082a020aa159517cac049bf8f750aa80d4072332b478db182afb8cb5e6ea6c641a5146c043d1e9d1d406a0905647a33048f4eb9e8123d5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d2f8cbef933eddf37c5ea7e287621c15

SHA1
4edc1ba5ca2b7761ee064c294a68db4e900adb7f

SHA256
6fee9c5b8299798799374a7aa85880532c39238ad2bfc549311b08a5a750083d

SHA512
9cc2b62f387d313e590e62b7ca87ac00823bb8bdb3b8e00be6634547214f180be4773b45c164a92914ed9224a77532693f644bbcf1140a988c879a443834f503

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6fd616984fdf70817cdc20f45e2ae9c9

SHA1
cb6a7ec76901b814bf8883976acde43044ccd43d

SHA256
45b800562690cb6ffbb50e0d18973f3c7dbb4291d6f6a3b34460ea5177ab7ed2

SHA512
6dae61fe4d461020b3754a1d5598ac97e58796996b617777f5a5e9d1784ed6d81418119add40a4a14b8518416f9cf96935b79678d03175ff495e46e869db8da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a9647891505ae6f4a1e86f25cf9c8a98

SHA1
342dd1f2e65e3364f6d251ac78029e2a649ecf15

SHA256
6696815f16a25ec1b2fc9bc037cb0fdfdc35909e7cd51071a967e9e6228f9cfe

SHA512
fa1aa7472c68b5509ae015ad4cf4482f6eec60caa8b22ab3661c9f1e7116360eaac0c14efbd9c25316156c70f044278b67b0c4b8045821e5dd4035103d1e722f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
892755261519bd4b5765526cca169621

SHA1
1b5958929364e914eea9b442af342bdd41c60821

SHA256
68b534cec61810808ee51b4c5f091b2abf793ab84a75800bc3652dce4f6b3b8a

SHA512
1e244d27260a688c439967ee2dab7cdc0e974bc0c87a66fe9f3e52ea6d297bedfe7b0d24b23e13bb2d7cb4a2bffa8439af30b1522cc024612e86281480211fba

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/2524-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2524-29-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2524-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2524-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2524-12-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/2524-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2524-146-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2524-8-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/3104-174-0x0000000010560000-0x00000000105C1000-memory.dmp

Filesize
388KB

Download
memory/3104-147-0x0000000010560000-0x00000000105C1000-memory.dmp

Filesize
388KB

Download
memory/4300-173-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/4300-75-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/4300-14-0x0000000001650000-0x0000000001651000-memory.dmp

Filesize
4KB

Download
memory/4300-13-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads