Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/01/2025, 00:54 UTC

General

  • Target

    JaffaCakes118_01036fa60c6ce717acd9746962983353.exe

  • Size

    458KB

  • MD5

    01036fa60c6ce717acd9746962983353

  • SHA1

    bd41017df7c817188f498abc6568f8181f3df12c

  • SHA256

    e566c9eda044fa8824d77dd9d632c33eaac4f188b0f30379113743842ac54cde

  • SHA512

    d75a05a076da8b27509fd0a1300164effa42cd9e30025ec084e98f4d79987b8c9da7d893cb7ed3ddeeb5e381ec0482fcb89be52888e371c960f47febd7ad219d

  • SSDEEP

    6144:THBPd8fAHaBpdSDAYzPFy2j3cLjTuQnJ3m0syAa1XhJZms8MBYQbHqQPQ:RjAYzP82j3QJlsbRxMBYQTE

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

remote

C2

magemaxing.no-ip.org:3458

127.0.0.1:3458

Mutex

WG1CSG04771U34

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    winstart

  • install_file

    winlogon.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    boogaard

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Cybergate family
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01036fa60c6ce717acd9746962983353.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01036fa60c6ce717acd9746962983353.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:4368
        • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
          "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
          3⤵
          • Checks computer location settings
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:3952
          • C:\Windows\winstart\winlogon.exe
            "C:\Windows\winstart\winlogon.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1116
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 564
              5⤵
              • Program crash
              PID:2532
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1116 -ip 1116
      1⤵
        PID:5116

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        104.219.191.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        104.219.191.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        181.129.81.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        181.129.81.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        138.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        138.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        167.173.78.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        167.173.78.104.in-addr.arpa
        IN PTR
        Response
        167.173.78.104.in-addr.arpa
        IN PTR
        a104-78-173-167deploystaticakamaitechnologiescom
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        228.249.119.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        228.249.119.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        197.87.175.4.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        197.87.175.4.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        86.49.80.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        86.49.80.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
      • flag-us
        DNS
        172.214.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.214.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        43.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        43.229.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
        Response
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
      • flag-us
        DNS
        www.magemaxing.cz.cc
        Crypted.exe
        Remote address:
        8.8.8.8:53
        Request
        www.magemaxing.cz.cc
        IN A
      No results found
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
        90 B
        1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        104.219.191.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        104.219.191.52.in-addr.arpa

      • 8.8.8.8:53
        181.129.81.91.in-addr.arpa
        dns
        72 B
        147 B
        1
        1

        DNS Request

        181.129.81.91.in-addr.arpa

      • 8.8.8.8:53
        138.32.126.40.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        138.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        167.173.78.104.in-addr.arpa
        dns
        73 B
        139 B
        1
        1

        DNS Request

        167.173.78.104.in-addr.arpa

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        264 B
        4
        4

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        264 B
        4
        4

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        228.249.119.40.in-addr.arpa
        dns
        73 B
        159 B
        1
        1

        DNS Request

        228.249.119.40.in-addr.arpa

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        264 B
        4
        4

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        197.87.175.4.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        197.87.175.4.in-addr.arpa

      • 8.8.8.8:53
        15.164.165.52.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        15.164.165.52.in-addr.arpa

      • 8.8.8.8:53
        86.49.80.91.in-addr.arpa
        dns
        70 B
        145 B
        1
        1

        DNS Request

        86.49.80.91.in-addr.arpa

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        198 B
        4
        3

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        264 B
        4
        4

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        264 B
        4
        4

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        66 B
        4
        1

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        198 B
        4
        3

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        132 B
        4
        2

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        172.214.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.214.232.199.in-addr.arpa

      • 8.8.8.8:53
        43.229.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        43.229.111.52.in-addr.arpa

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        264 B
        4
        4

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        264 B
        4
        4

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        264 B
        4
        4

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        264 B
        4
        4

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        264 B
        4
        4

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      • 8.8.8.8:53
        www.magemaxing.cz.cc
        dns
        Crypted.exe
        264 B
        4

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

        DNS Request

        www.magemaxing.cz.cc

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Crypted.exe

        Filesize

        263KB

        MD5

        4e2e7ffb04baf6fc937b18c37d01a014

        SHA1

        05a5520ee4ee900b706e4eddafee51ff21f7db21

        SHA256

        38820d2faf1fc187cb37456c1ad59a2834972a05f9f8b4a71a280516b9415434

        SHA512

        2dd13e1ed3226f819bca4e2124c4358340bf9b46e3e924082ddb77458c1049930a8937fdb0a5fb00018eaffd8cd0d04a0a529141f317097afd98162848d444d0

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

        Filesize

        222KB

        MD5

        e3b214648f5f78662000682607f97cec

        SHA1

        0fd9a861e26ad27dcfaa61e20323588ccbefab7d

        SHA256

        98536577b1511371202d462b6f4b4c4a02801a94233650255191aa8df470597b

        SHA512

        4e79901a66b4775d1f78d610d725073055fc971ad34bf3fd1b4b51c091e45b25b93a9f99f669f82bfadd99a2ee855ec4085d186047d4e9f203b31d67d698ab9a

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        3e742bf30f9737de903942d7b672c165

        SHA1

        ba4b2a71991228cf6d69a6a8c0f3f0c4157fafcd

        SHA256

        b860731c69980a05419d023cefc9add361e1417d8ce78044b8438763c58e313d

        SHA512

        c9467c77e7d53e97079710de2dfb7349dc0ebe318547349d8794380af11709b45718c342976fd296a876a5b67e7dea317dfa37c5ef119ee1dac88db5e7972bf1

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        d339a7165b69dc3795330dfe9c5a88d9

        SHA1

        4771ace914a42c2d64ed847c0962d082c96eacc4

        SHA256

        e5c722f620e51857a0055dbcffa228bb5ae23ee5616a406c61eaabc77bd50ac9

        SHA512

        38ea7abe1bae75100d5f6f3cd81cc8e231c8e4f9c1753f2ffe4611cb36c5346bc20943a5a16f26cebfd894f4151a1b069a85672a90517ee41bce3d454ee9cfc0

      • C:\Users\Admin\AppData\Roaming\cglogs.dat

        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • memory/1116-115-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

      • memory/3016-4-0x000000001C180000-0x000000001C64E000-memory.dmp

        Filesize

        4.8MB

      • memory/3016-7-0x000000001BC80000-0x000000001BCCC000-memory.dmp

        Filesize

        304KB

      • memory/3016-8-0x00007FFBC4360000-0x00007FFBC4D01000-memory.dmp

        Filesize

        9.6MB

      • memory/3016-6-0x0000000001490000-0x0000000001498000-memory.dmp

        Filesize

        32KB

      • memory/3016-5-0x000000001BB60000-0x000000001BBFC000-memory.dmp

        Filesize

        624KB

      • memory/3016-19-0x00007FFBC4360000-0x00007FFBC4D01000-memory.dmp

        Filesize

        9.6MB

      • memory/3016-0-0x00007FFBC4615000-0x00007FFBC4616000-memory.dmp

        Filesize

        4KB

      • memory/3016-3-0x00007FFBC4360000-0x00007FFBC4D01000-memory.dmp

        Filesize

        9.6MB

      • memory/3016-2-0x00007FFBC4360000-0x00007FFBC4D01000-memory.dmp

        Filesize

        9.6MB

      • memory/3016-1-0x000000001B400000-0x000000001B4A6000-memory.dmp

        Filesize

        664KB

      • memory/3024-23-0x0000000010410000-0x0000000010471000-memory.dmp

        Filesize

        388KB

      • memory/3024-93-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

      • memory/3024-26-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

      • memory/3024-86-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

      • memory/3024-45-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

      • memory/3024-22-0x0000000010410000-0x0000000010471000-memory.dmp

        Filesize

        388KB

      • memory/3024-16-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

      • memory/3952-28-0x00000000005C0000-0x00000000005C1000-memory.dmp

        Filesize

        4KB

      • memory/3952-27-0x00000000001E0000-0x00000000001E1000-memory.dmp

        Filesize

        4KB

      • memory/3952-91-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

      • memory/3952-32-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

      • memory/3952-119-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.