cybergate | 6bebba76eaaf80577684a4d1af3195f0eeb9d4435b0911d46bb760bd97396d64

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe
Size

500KB
MD5

3dea75d9db5b89b9dfbeade07c52b58b
SHA1

c46c3024f857bff8aa6f4cd3639e7af6262206dd
SHA256

6bebba76eaaf80577684a4d1af3195f0eeb9d4435b0911d46bb760bd97396d64
SHA512

949bdd04ae5d4757e22f0b4b1c4fbb4823b16824cb6a7e26be9a486b95fdf357323e2cdba44c7a67e41a8c9780e48ce445c621a5a62517ee1a61cfa2d893d554
SSDEEP

12288:3xexIc4ZzqNFpDo6eTtPPbQ0iVuAqpc1pZMrlwXq3Mi:MxZHNFpDo7tPEMAUc1pZSwD

Score

10^/10

cybergate [email protected]discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

[email protected]

lstreeet.no-ip.biz:15963

Mutex

OAKTI06NWO4PTL

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
winlogone.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
whore1
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	real.exe

Executes dropped EXE 4 IoCs

pid	Process
4336	real.exe
320	real.exe
208	real.exe
4184	real.exe

Loads dropped DLL 1 IoCs

pid	Process
1616	real.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key Name real = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName@OFF@\\real.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4644 set thread context of 64	4644	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	98
PID 4336 set thread context of 320	4336	real.exe	105
PID 4336 set thread context of 208	4336	real.exe	106

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4644-0-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/4644-5-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/64-15-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/64-17-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/64-21-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4644-20-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/files/0x000b000000021a75-37.dat	upx
behavioral2/memory/4336-45-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/4336-48-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/4336-49-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/64-50-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4336-65-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/4336-78-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/64-81-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/208-83-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/1616-91-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral2/memory/208-87-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/208-84-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/320-171-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4184-178-0x0000000000400000-0x0000000000580000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeBackupPrivilege	1616	real.exe
Token: SeRestorePrivilege	1616	real.exe
Token: SeDebugPrivilege	1616	real.exe
Token: SeDebugPrivilege	1616	real.exe
Token: SeDebugPrivilege	320	real.exe
Token: SeDebugPrivilege	320	real.exe
Token: SeDebugPrivilege	320	real.exe
Token: SeDebugPrivilege	320	real.exe
Token: SeDebugPrivilege	320	real.exe
Token: SeDebugPrivilege	320	real.exe
Token: SeDebugPrivilege	320	real.exe
Token: SeDebugPrivilege	320	real.exe
Token: SeDebugPrivilege	320	real.exe
Token: SeDebugPrivilege	320	real.exe
Token: SeDebugPrivilege	320	real.exe
Token: SeDebugPrivilege	320	real.exe
Token: SeDebugPrivilege	320	real.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4644	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe
64	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe
4336	real.exe
320	real.exe
4184	real.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 64	4644	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	98
PID 4644 wrote to memory of 64	4644	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	98
PID 4644 wrote to memory of 64	4644	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	98
PID 4644 wrote to memory of 64	4644	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	98
PID 4644 wrote to memory of 64	4644	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	98
PID 4644 wrote to memory of 64	4644	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	98
PID 4644 wrote to memory of 64	4644	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	98
PID 4644 wrote to memory of 64	4644	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	98
PID 64 wrote to memory of 3288	64	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	99
PID 64 wrote to memory of 3288	64	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	99
PID 64 wrote to memory of 3288	64	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	99
PID 3288 wrote to memory of 452	3288	cmd.exe	103
PID 3288 wrote to memory of 452	3288	cmd.exe	103
PID 3288 wrote to memory of 452	3288	cmd.exe	103
PID 64 wrote to memory of 4336	64	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	104
PID 64 wrote to memory of 4336	64	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	104
PID 64 wrote to memory of 4336	64	JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe	104
PID 4336 wrote to memory of 320	4336	real.exe	105
PID 4336 wrote to memory of 320	4336	real.exe	105
PID 4336 wrote to memory of 320	4336	real.exe	105
PID 4336 wrote to memory of 320	4336	real.exe	105
PID 4336 wrote to memory of 320	4336	real.exe	105
PID 4336 wrote to memory of 320	4336	real.exe	105
PID 4336 wrote to memory of 320	4336	real.exe	105
PID 4336 wrote to memory of 320	4336	real.exe	105
PID 4336 wrote to memory of 208	4336	real.exe	106
PID 4336 wrote to memory of 208	4336	real.exe	106
PID 4336 wrote to memory of 208	4336	real.exe	106
PID 4336 wrote to memory of 208	4336	real.exe	106
PID 4336 wrote to memory of 208	4336	real.exe	106
PID 4336 wrote to memory of 208	4336	real.exe	106
PID 4336 wrote to memory of 208	4336	real.exe	106
PID 4336 wrote to memory of 208	4336	real.exe	106
PID 4336 wrote to memory of 208	4336	real.exe	106
PID 4336 wrote to memory of 208	4336	real.exe	106
PID 4336 wrote to memory of 208	4336	real.exe	106
PID 4336 wrote to memory of 208	4336	real.exe	106
PID 4336 wrote to memory of 208	4336	real.exe	106
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107
PID 208 wrote to memory of 2496	208	real.exe	107

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3dea75d9db5b89b9dfbeade07c52b58b.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KBVAW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Key Name real" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:452
- - C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe
    "C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe
      "C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:320
  - - C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe
      "C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2496
    - - C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe
        
        "C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe"
        5⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
      - C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe
        
        "C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
7f198c345ee51464a78fdce6345155bf

SHA1
790df04136ae8251c5f719f93fd0f0411daeba01

SHA256
b47ee1e4198cb7864f59b8e56a0c3586ab1fc407ebd870d24e1bf7b6d9f3061f

SHA512
854356180d58715b3327b953242bac94d0b5be0aabc29f9aa321ff204c822bd84f8a87999b3e932f9f45899fa6378e2b5633e80715e329f73f1d9362c9978547

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bbabfb868dc392426c1ff67ca58de817

SHA1
a3f6911328ff5eccbc57340ae55eca354bd237d1

SHA256
1d42f1555cf6c60f19a1fa2513b305ae8905f8b20ece868a30bc99de24e569ca

SHA512
6de87476de6b86ea13f947072185f5ebee453f0501725bab910a3f012e117b703be8599dbca1c90d070c394005dab1fb3a4dca13bb60599c6dca232022db1388

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
380a4a15d2e01aa19474b795b9b24533

SHA1
3a9c75c7bc729a4d8f1e9544384d8b4fde55e81a

SHA256
69d50c04e8c8b8b8de83af9a5db008f683354df3bb5dcf8ab83415bc3494edd2

SHA512
9c7d0c25274876dac30ec86712a4aa6a293a6be05f4574499567d27a29390d2268f42402bae2aab8c58e870ba1b8018a4c5a1fa3dc37f38a3ec9b361e49e174c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
626420b930906fad0dcef7de250c896c

SHA1
36b2e5e7cb5c3cab0f0e891f54402fd07a39b738

SHA256
76b4c7517eff323272010c28399baf9bcff1dd8cd46d24949be627b9dfa06d11

SHA512
519ef16bdf559897cef5b69a5a9b72be33e883e07705aa7547ecb069dd273cb3a6e752c4d47f4584f7b74f6dae25474ae6dc38c3b1463ecac5478ea4fd296b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2cf5ffac9f2610f2c5d059e6b29b223b

SHA1
0f61a03dd648ac5ba0dc1b0f9fc1cfbec6548d40

SHA256
78fd7865db68beb67aee3fa8f0393326d0f1afc3d2d37d28a47e9f859cfbc6e2

SHA512
07292e80bdcd085a0397739bb689f194eab35d7f67e70469af83ee129ab9b445ba3126e2538c3d23e0662fd3d9cbf3dc1c883d1fdc770d3aa5e74926cda88bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6c5ce67d33b00f44c7a9b480720b8129

SHA1
35303fa3532484be09d41050ecdeb21d48579818

SHA256
2e5211854cffde90f29ed0ee79823a47acf23ff03c8582a3a8715c5fe13d09f5

SHA512
122c587576218582daa4d9fcb7ce293b57cb275ca13e09187e376532de063aa8e82b43b3fd75f05f3bcf8dc144a61f8e0c49d543dedbdd9a4f9d91df000a0cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4d08585985b450b75cd6ba2ab86b7bcd

SHA1
7ad0a08c79c027aa3987cf1fb971296afb42395d

SHA256
01bf0cbdc44b2ca2d4d84cefd87e2546e7e677933e756778bc39d92adb5a81f0

SHA512
f7876e7b04753894f379fdcd8e21effbc98be98c419bdced801c32886bcc978c77aa6be8a0dbdad4035ebc81d1b188f2df6058b8a794dc1714abfa10cfa55cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
15cbdf0776ba9b4f20cadd6b33f00b76

SHA1
59e115db65ee26d9685ec140142c1e2c3a39db11

SHA256
351006ce0b98f4290caa6d881c839acdb615d90bc2a665b657b4d0d728ecd61c

SHA512
4f8b206ecf3273c4e04368bf24dce31c383754db60c51901a610763047dab8d05309e7e409e6c75030b63c477d11e513e9f6824b11ee6704bd35e4d4bf053867

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5353e63b3dcc12200b81c0e575722961

SHA1
e05b99a2d84934e4b4d9d5c2b5ffc161f33a2e20

SHA256
0db4539be2882912e158c100606ec144625bb3203a8dd4278e06edac973f8bb1

SHA512
a4cf58d1d880052f7e42d0f7ac0200b8c0d8406d04c9ee35dbf5383f10eed6e425580611247e71bef8ce6632d22fa145df1bdf5e8eff9afaaf00a5cd0c3d474a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d1e2c124457991d6ae4fa1e120b6903d

SHA1
2a480e70018587f8b91b71dce724f3d818b3e226

SHA256
faf53ff1c799495df773e0cd002b5b0bd3991297ad063397dcbb12563cbffaa9

SHA512
0416a65a8c0b293b49c01c2b048bacf1674180dcba83cc3301555840e2558d2d50ca3f6c2374f55adfabafe2cc7a133d97dada93bbc4d4002c5b36943a7e7680

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
95c89ebe178d9a1638a34ca4281ad5ae

SHA1
29ec7becca410ecd402a1837930ef44a346ae3b7

SHA256
1fb7ce8c70e6eb47359bba899654bda3db5d14b586ed8726779eeb69892016c7

SHA512
fc928f511af801e35f37892bce3779197bcd47c3df61e3951500878d1798c2397458cbdfd79c4f6fd4b843c5123622ecc58356ab994c255d436b09a9d89ce8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin8

Filesize
8B

MD5
81e25843ee3142e81575c09e7b072803

SHA1
214b21ba919fa0b7ef5d7942e2c7049917249424

SHA256
48cd88a8a6c378d863ffac1b31284ecf749894feb97bcd2ec9e145812130f9e0

SHA512
e99326cc5c0e93320a1098dd4165bb9d399f4d0e7490dda0c12e7698a2013e2d02a4906b2cc1cc79476af3537c1484a33819cc95aced977993cf1d4b386ab69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KBVAW.txt

Filesize
155B

MD5
f8c91c062813c5d40d7dad776438c3cc

SHA1
9db3fbda51c2f872ba693f6be0318b8d842b251c

SHA256
13b5540373c481fc4050c54b397e8569589e4a75737889bdb173c3d98343f7ef

SHA512
2e137f8920143b6a40a3ac9674e371b8e41f575a02b10765d9146ccc69091d6bc525f600304f1239c895e3a784a2c5caaa86270ebf8fe5c0b616d71eda968baf

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName@OFF@\real.exe

Filesize
500KB

MD5
e671f0d8079942eaed8d44b2c0946428

SHA1
15355b035c2158a63bdc51ba3f79d04e6cc21769

SHA256
e661f72f34ab78ab432f928d445bd107c8060dc017471b71f165d6277418988e

SHA512
44ae03cc982d0acc03ed9b997ff354f5f14d1cf9b5e24ceacd1eb4032d3439ab3c9a01ad54320362847ac0c77443e13245e016854189521b994d4829f557ad98

Download Submit
memory/64-81-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/64-21-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/64-50-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/64-17-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/64-15-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/208-77-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/208-87-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/208-79-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/208-74-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/208-73-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/208-83-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/208-69-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/208-153-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/208-84-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/320-171-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1616-89-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/1616-88-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1616-91-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4184-178-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4336-45-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4336-65-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4336-49-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4336-48-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4336-78-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4644-0-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4644-20-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4644-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4644-13-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/4644-7-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/4644-5-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4644-4-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4644-3-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads