Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2025, 00:54 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_01036fa60c6ce717acd9746962983353.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_01036fa60c6ce717acd9746962983353.exe
-
Size
458KB
-
MD5
01036fa60c6ce717acd9746962983353
-
SHA1
bd41017df7c817188f498abc6568f8181f3df12c
-
SHA256
e566c9eda044fa8824d77dd9d632c33eaac4f188b0f30379113743842ac54cde
-
SHA512
d75a05a076da8b27509fd0a1300164effa42cd9e30025ec084e98f4d79987b8c9da7d893cb7ed3ddeeb5e381ec0482fcb89be52888e371c960f47febd7ad219d
-
SSDEEP
6144:THBPd8fAHaBpdSDAYzPFy2j3cLjTuQnJ3m0syAa1XhJZms8MBYQbHqQPQ:RjAYzP82j3QJlsbRxMBYQTE
Malware Config
Extracted
cybergate
v1.05.1
remote
magemaxing.no-ip.org:3458
127.0.0.1:3458
WG1CSG04771U34
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
winstart
-
install_file
winlogon.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
boogaard
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Crypted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\winstart\\winlogon.exe" Crypted.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Crypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\winstart\\winlogon.exe" Crypted.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{TWOH7KMI-64Y2-0J0B-8DAE-Q23P5YMD8B1A} Crypted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{TWOH7KMI-64Y2-0J0B-8DAE-Q23P5YMD8B1A}\StubPath = "C:\\Windows\\winstart\\winlogon.exe Restart" Crypted.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation JaffaCakes118_01036fa60c6ce717acd9746962983353.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Crypted.exe -
Executes dropped EXE 2 IoCs
pid Process 3024 Crypted.exe 1116 winlogon.exe -
Loads dropped DLL 1 IoCs
pid Process 3952 Crypted.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\winstart\\winlogon.exe" Crypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\winstart\\winlogon.exe" Crypted.exe -
resource yara_rule behavioral2/files/0x000b000000023b73-13.dat upx behavioral2/memory/3024-16-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3024-22-0x0000000010410000-0x0000000010471000-memory.dmp upx behavioral2/memory/3024-45-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3952-32-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3024-86-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral2/memory/3952-91-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral2/memory/3024-93-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3024-26-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral2/memory/3024-23-0x0000000010410000-0x0000000010471000-memory.dmp upx behavioral2/memory/1116-115-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3952-119-0x0000000010480000-0x00000000104E1000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\winstart\winlogon.exe Crypted.exe File opened for modification C:\Windows\winstart\winlogon.exe Crypted.exe File opened for modification C:\Windows\winstart\winlogon.exe Crypted.exe File opened for modification C:\Windows\winstart\ Crypted.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2532 1116 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Crypted.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3024 Crypted.exe 3024 Crypted.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3952 Crypted.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3016 JaffaCakes118_01036fa60c6ce717acd9746962983353.exe Token: SeDebugPrivilege 3952 Crypted.exe Token: SeDebugPrivilege 3952 Crypted.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 3024 3016 JaffaCakes118_01036fa60c6ce717acd9746962983353.exe 83 PID 3016 wrote to memory of 3024 3016 JaffaCakes118_01036fa60c6ce717acd9746962983353.exe 83 PID 3016 wrote to memory of 3024 3016 JaffaCakes118_01036fa60c6ce717acd9746962983353.exe 83 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84 PID 3024 wrote to memory of 4368 3024 Crypted.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01036fa60c6ce717acd9746962983353.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01036fa60c6ce717acd9746962983353.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:4368
-
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3952 -
C:\Windows\winstart\winlogon.exe"C:\Windows\winstart\winlogon.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 5645⤵
- Program crash
PID:2532
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1116 -ip 11161⤵PID:5116
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request181.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request138.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN A
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN A
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN A
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN A
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN A
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN A
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN A
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN AResponse
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN A
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN A
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN A
-
Remote address:8.8.8.8:53Requestwww.magemaxing.cz.ccIN A
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
181.129.81.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
138.32.126.40.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
264 B 264 B 4 4
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
264 B 264 B 4 4
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
264 B 264 B 4 4
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
86.49.80.91.in-addr.arpa
-
264 B 198 B 4 3
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
264 B 264 B 4 4
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
264 B 264 B 4 4
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
264 B 66 B 4 1
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
264 B 198 B 4 3
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
264 B 132 B 4 2
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
264 B 264 B 4 4
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
264 B 264 B 4 4
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
264 B 264 B 4 4
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
264 B 264 B 4 4
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
264 B 264 B 4 4
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
-
264 B 4
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
DNS Request
www.magemaxing.cz.cc
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD54e2e7ffb04baf6fc937b18c37d01a014
SHA105a5520ee4ee900b706e4eddafee51ff21f7db21
SHA25638820d2faf1fc187cb37456c1ad59a2834972a05f9f8b4a71a280516b9415434
SHA5122dd13e1ed3226f819bca4e2124c4358340bf9b46e3e924082ddb77458c1049930a8937fdb0a5fb00018eaffd8cd0d04a0a529141f317097afd98162848d444d0
-
Filesize
222KB
MD5e3b214648f5f78662000682607f97cec
SHA10fd9a861e26ad27dcfaa61e20323588ccbefab7d
SHA25698536577b1511371202d462b6f4b4c4a02801a94233650255191aa8df470597b
SHA5124e79901a66b4775d1f78d610d725073055fc971ad34bf3fd1b4b51c091e45b25b93a9f99f669f82bfadd99a2ee855ec4085d186047d4e9f203b31d67d698ab9a
-
Filesize
8B
MD53e742bf30f9737de903942d7b672c165
SHA1ba4b2a71991228cf6d69a6a8c0f3f0c4157fafcd
SHA256b860731c69980a05419d023cefc9add361e1417d8ce78044b8438763c58e313d
SHA512c9467c77e7d53e97079710de2dfb7349dc0ebe318547349d8794380af11709b45718c342976fd296a876a5b67e7dea317dfa37c5ef119ee1dac88db5e7972bf1
-
Filesize
8B
MD5d339a7165b69dc3795330dfe9c5a88d9
SHA14771ace914a42c2d64ed847c0962d082c96eacc4
SHA256e5c722f620e51857a0055dbcffa228bb5ae23ee5616a406c61eaabc77bd50ac9
SHA51238ea7abe1bae75100d5f6f3cd81cc8e231c8e4f9c1753f2ffe4611cb36c5346bc20943a5a16f26cebfd894f4151a1b069a85672a90517ee41bce3d454ee9cfc0
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314