cybergate | 1e3c6f17b1489312bac21f5c9e9c49e35f1cb137532aec6eb38bb2eb84e508f2

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
Size

879KB
MD5

b833c6c71cd762a1e36074317376e0c8
SHA1

ea7d7c2bd281319c26e3dd39d1d8947bdd39729b
SHA256

1e3c6f17b1489312bac21f5c9e9c49e35f1cb137532aec6eb38bb2eb84e508f2
SHA512

c87a59c77b5937b647e6c7fc5b82655b24ba0e233ae7a90d639ab3dbf88a6e19a45f356947adf11e3f5e37efe82df00841d87ca6ccef3b7503cc2a0d5d854592
SSDEEP

24576:swQZiyIakEL2F5m5MknscLe2Pu6DXKWeWtLFh6J6QfoX:slAL8wwUcy2FLKPMLF4J6QfA

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

ozgur001122.no-ip.org:3460

Mutex

qqqqqqq

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
crss.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\crss.exe"	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\crss.exe"	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{23V1Q4X3-7FVB-5BP3-53KP-X1UW06WXAE84}	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23V1Q4X3-7FVB-5BP3-53KP-X1UW06WXAE84}\StubPath = "C:\\Windows\\install\\crss.exe Restart"	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	crss.exe

Executes dropped EXE 4 IoCs

pid	Process
408	crss.exe
2100	crss.exe
3076	crss.exe
3496	crss.exe

Loads dropped DLL 1 IoCs

pid	Process
1992	crss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\crss.exe"	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\crss.exe"	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2460	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 2664	2460	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	86
PID 408 set thread context of 2100	408	crss.exe	89
PID 3076 set thread context of 3496	3076	crss.exe	93

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2664-4-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2664-7-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2664-9-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2664-10-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2664-24-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2100-34-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2100-35-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2100-37-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2100-41-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/2100-106-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3496-134-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\install\crss.exe	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
File opened for modification	C:\Windows\install\crss.exe	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
File opened for modification	C:\Windows\install\crss.exe	crss.exe
File opened for modification	C:\Windows\install\crss.exe	crss.exe
File opened for modification	C:\Windows\install\crss.exe	crss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3448	3496	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1992	crss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	crss.exe
Token: SeDebugPrivilege	1992	crss.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2664	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2460	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
2460	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
408	crss.exe
408	crss.exe
3076	crss.exe
3076	crss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2664	2460	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	86
PID 2460 wrote to memory of 2664	2460	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	86
PID 2460 wrote to memory of 2664	2460	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	86
PID 2460 wrote to memory of 2664	2460	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	86
PID 2460 wrote to memory of 2664	2460	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	86
PID 2460 wrote to memory of 2664	2460	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	86
PID 2460 wrote to memory of 2664	2460	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	86
PID 2460 wrote to memory of 2664	2460	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	86
PID 2664 wrote to memory of 408	2664	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	88
PID 2664 wrote to memory of 408	2664	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	88
PID 2664 wrote to memory of 408	2664	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	88
PID 2664 wrote to memory of 3360	2664	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	56
PID 2664 wrote to memory of 3360	2664	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	56
PID 2664 wrote to memory of 3360	2664	JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe	56
PID 408 wrote to memory of 2100	408	crss.exe	89
PID 408 wrote to memory of 2100	408	crss.exe	89
PID 408 wrote to memory of 2100	408	crss.exe	89
PID 408 wrote to memory of 2100	408	crss.exe	89
PID 408 wrote to memory of 2100	408	crss.exe	89
PID 408 wrote to memory of 2100	408	crss.exe	89
PID 408 wrote to memory of 2100	408	crss.exe	89
PID 408 wrote to memory of 2100	408	crss.exe	89
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91
PID 2100 wrote to memory of 1992	2100	crss.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b833c6c71cd762a1e36074317376e0c8.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\install\crss.exe
      "C:\Windows\install\crss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Windows\install\crss.exe
        
        "C:\Windows\install\crss.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\install\crss.exe
        
        "C:\Windows\install\crss.exe"
        6⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\install\crss.exe
        
        "C:\Windows\install\crss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3076
        
        C:\Windows\install\crss.exe
        
        "C:\Windows\install\crss.exe"
        8⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 532
        9⤵
        Program crash
        
        PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3496 -ip 3496
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
469b5c32de9347b224c46a68c11d56d3

SHA1
aec31532a82f5992ee92ce4a044fbbb09dcb5f7e

SHA256
2f7caaf761b4b25ceed215e29fc69d2ae890b6edad05f363b941ef115b507a0d

SHA512
434c0763adcdf4e77704a160e92d7f445577c2e280756a9d989254a5691a84da74380ebc1e9abc0723faf6e2c59ea9355b38bbb0fb7c47cb730195e492a4bbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5699e61d96e41418e1f9625aec8f115c

SHA1
a7b49e735f815e1c8aaef7d7c763b9688d9ac39b

SHA256
367c7796900c3ef5cd3085e443b41121bf4a345c369b021852006d8c939c35e0

SHA512
23ae28b2a9f751761792c6648df2bf56b7b2e5350fc0f553f9d0a053b88aba90e7d621306222cc90ceb93470c52940d70298cf17ee2c495ded5ea9fe50219a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6c97b8fbaa289fa845763e8246a3d353

SHA1
ad9aec096d9c24b55aaa75137d7d4e6009d0a087

SHA256
29bddf27258f69e70f33c14e2fb295c206c866324cdcf4de3867a49a94aefa2f

SHA512
d0b5aa55de4fa32341995faefa8ea63a418805b106556bfae1864af1d0bf16bfd01601b87fff8d2bb8d0e4645cc30e86a70de541fc2908ac731eff68f6b359d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
640df9fd9aed9fdb0d2ab99b73e79925

SHA1
cc17ea3aa2e24033fb15989923162c796a705287

SHA256
a09ffda0e7c437ff86a6900184acdeb52d84095e7ce7b47257b1fce4273c829f

SHA512
788a58a928761e7235af2bdc36b8febb7568db89020e2f5246ac6778d45e4c6048d16e63001183b3f401ccaf1f039e67bd43c8408dc0408518fb198d8d9bf631

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
986c030609020360e878ea3ce48552bf

SHA1
935287373ae0b4cfeedba46aed30ae17d8a39970

SHA256
30bfc42febfaafe6900eca31e1f9c5e633e45ec611ffbce4ad6bc6a1cd47bfdc

SHA512
b8c3c4020baf25c64e7c5c7be490d061326a9f80b11d4556eb4e147ea9b9498c9698b281674037760624000c968fd3827bca82133b6a2d27ae1f642c1098343a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4e6050546f0c1264d52776880f3b4c3a

SHA1
d9dbb984526cb209805e1a67be772d52196ab791

SHA256
bc842cb38c4e09f794df08095cd6fdb581de432a0872c8820ce0e82a9551cf32

SHA512
e99f9b24f34494d54ce62d5d442a68d2413962a3411ac5cebcca7220166fef937e21cffbc74404e36df0bc5b44c530665cd156018170f2b6a6dff8a339611fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e224d315b52e495a46b7d7eb32fb17ba

SHA1
7f65d6e9270fa3b35fb15edc47dd10abee60f5f6

SHA256
4cf6bf64e3e0db10d2777544bc88cf273776be537b94119a734fbbbf92b32553

SHA512
674d3339434772c19e1679c3b49451ee66a05d83a7a566cb7c369d3e71edec006681453648ed8525be458daa5a2a4b4d80d374948c509e26c8fa00a4a496baaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
899e1b9b59403963922ae093f2982501

SHA1
20bc8215f00435d5477ae7450d0732193c99cf3a

SHA256
de48a3bcc1820e16fa97acf5aa37d1b157d9282a944fd810ad6800ebef37b48f

SHA512
493cd3fa3d5793c67a782d23dfdb0bb4110c4086786061ba63a137e5532003640aa046f61201b4774779de265fc8003a3be136a64c89bf44c86285f510702b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cfef99795a985dc548d551e4b6b8004a

SHA1
c4e2c23f0425bb2737f22e7f2749a45fd3f91e9b

SHA256
d59eaf60f7f723e3b1456ea3943a9e61539e5221f110756b157aa94df003b261

SHA512
3f253824a1b2416860c19912b86dab8ed3ef07664e526ffa623832709ecbf6383f890f858c656b9ea7da839dada560b627ab1e6a620d9e76343c09519c52722c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f04b1f6be6ff210b216455cbd220e5cb

SHA1
a1c55ba3311aacd3c62f9a880050a31cf29c0083

SHA256
ec97ea4bb7e763593074ad12b16cc1c8f2ff2cc54f9d68fb577fa73e32782ed2

SHA512
f39cd908aec999225c17477f1d2d0cd61becf0c5a3ce548baf6941d54e38ab1632a70751c6be5d5fde86a99f220f2f8cff9067d3971d718987709f2b575ea420

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
49ac65d86aa5842bcc4bf494ca3ad82f

SHA1
70f28b61f36c5eaa80e3265e7b7ad4cdbb2c7ef2

SHA256
333100de9a59f46a6818182e744e7ce4e30bcc6b7d4a88535cb3d48ce79381c5

SHA512
55eada416ab40aec5b3c2bfeb5bfe57fa9d7838e7c4ac26a25577da45a19e3aded26abd8190ab588ed91f163ea856fcd9e409ad57a681cc8849d24e660387a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
26802beb76a7bec1e33aed27bf606a1d

SHA1
7dd48a7bf04bb2297e7c48c7c178e8e4fbc9615d

SHA256
9311d66ff9dfca01f9f8af9b0d990d6381e51019521394065cfcbc052098a70b

SHA512
0ef16a3cd7c2fa07c7dd90538707a5ef119878fff69409c5cb92b01f84c0ac2708931347fed3db75a4d3e62f4d1281954bce728b9afd3e1b7c697998a87aa3c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
44bd46ebd5cc7dc2f335563f23f9ef75

SHA1
289e8739f10716b204e355247aa3c48d48dbcb70

SHA256
3f975cf9ed2c5ecc904a0de7173795b65685b07534fe7423f286b2bac5b55469

SHA512
aa85424e8d27cecf52475bc0d80ee50c6e621d5c4ac2792d1999301691a2c626e20f5c35a3bdcc3ef47f34a023e8250858cdd6d3538e3a6c841f92093ced59cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7ea9ea03307cd7aad54c46ac1c043560

SHA1
aab03c06a07ce8869dca4ab3d69dc8f29cdeebfe

SHA256
af4e2857ea078d0c57140c2fa658063086e2f86f90832d2fb51a362d6081d9c1

SHA512
5eeb9e707378faea63ebadef1a2ee72651fcd04c5804a1e4b0356c2b5d2abbf9f0678b76ea84891e8da7d8db4ef317625824a9bcdd052c98c0190c467a3e1844

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
49e2e980cac33bfc6ef196fd3368d8ac

SHA1
f428f667ef9622593c93e0da1ca89631f615503b

SHA256
d52826aa05e0f901495ea58a60eb7436b59afe83b110c2db4ee916962cf50db0

SHA512
fb45e2304e10b8d97369a9a5eb08e422b545c376b36a14e4acb3914430e5c3002b30a737e8afa65441633fac86e456adc09d60da3d4cab95687ec0f12e40bb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9e42b69a315232131a75aff57b4af536

SHA1
0e6bb4e53d53b7d984b3ea45bd4938ab0978f4aa

SHA256
2d559968be36b72d8573fdf0c9c5f137276447154f9ffb9e0235403187e1309d

SHA512
902cbc960a4fcc1869eaaa80aa027659e3e5514b6d256c88cc9ff57f101aad62f620ef032cb68442a5ac4569b10c4b008e9ecb47b15cf25299464a9c5e671d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9b03cd6f0fae4deabc99c7c978dbad45

SHA1
71eace1080098aea38afb23a01eb8ac8bc50c321

SHA256
fddb7dbd104b05300acb1f50f7046344bb531bbdba43854a0e8f1667a0542fe5

SHA512
b2dd01dec71970bf5c449fbce022026c5cb4baa3d0d568d88e1f3180519c1850d88244507af0573562ba895db598b2eca9123dbf888dbf93cf8fdd6cc510f848

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ef85934e5770f02c3ba09ea41b1145fa

SHA1
49b111a396fb60c00c4da969a38f6741be3002f5

SHA256
8fed60d544a1c13ef03c59546b0b77c2b7011a8b2a44005b03dc3cb4ae0d41b2

SHA512
98168211f568b2df89c5d38464c4e5366d7e551d6ee617b7a29bfb2c701bca86121689f949c0f2552a6943d8760fad9bef6476287661d656c34fc6ae68f4fc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
efcdb671dd5036b9bc8dc59494e56007

SHA1
138ade14e4004eb80927074942675b332a1647dc

SHA256
1924c743a715a2ee166b9f061779a5c24d447c5c2bb68fd48106daa0daad6b22

SHA512
728e4cdba4780adf083b8eed30b11d75854f67493f8f9097669fc27deb6122ebc47a6b015b4f9430cf49cad43ebe33a0dae976a7fbb25ee9e4cbc8ceddd7d65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ff47bc6d68b8c65608da3ac3e61c6fe9

SHA1
fe32f4fd0fd3fb1304ef217dab75149827d8b7dc

SHA256
68a211162da2e72db28047000e68c532d067e1e39d6ade9a25b5db89f6d5e481

SHA512
a4f9d28303449cb661ade9fceaf16511a64fa9a4a29c33eed59c9ea3d2acc75b268df150ce9e4988ca0fe966c137c6186cce5b80315e2ef3fa4f137b0a16e1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ced92387feb1becef9c615e8313e198d

SHA1
9b13ae682d693085c28b4c4164758e5e2469e25e

SHA256
74e38f079404aae36aad801ba94e7356d9daadd09f2f485d52a2a1f812c9fb6e

SHA512
669e0ecc54fa95a3ebf60952ecc93cc52191d836a077e1c8006163a47c8df2fd8c1a083dca2c75921bc8ba4b2ac54d50529b9725077fdcab6e8f2254e731e087

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0f384df6bb41233bb32bdcb43644907a

SHA1
392ff54b2dc8cd45bff32c56f3ad39bafb6a0f71

SHA256
aabbb7d3b42d2287abc8add5622488688dba3f3df9b015ebcf4ff4cecf1a79fc

SHA512
c16c1aa9868706f09ffc5157b1e17aa09d2af6d195eb2429eaaf0daedf848a648af0966ad29258a7a11be2b5b6aadf28f5f7918488eedfdd6b40e8f1758ff39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4462c9143cba1d16c046fc12fefa594b

SHA1
eb431c608542eafa242309528848ab42575ece84

SHA256
495f742002f59880d6257e5704e519e6d57520dbbf506aa09ad47a4652067417

SHA512
7876a0e2f9ef8165ecab2e046615a2871917c744892f1285b35bd9a3ca5235e0602d2773cb96ee0fa5887aa6a2468ab03e36d138d650339f62d7141b0a59189d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d54d74eb718d06ffaad5f12080c09c13

SHA1
8d2f1b8160999c370d1bf90965aa3f9c285f1227

SHA256
addaf554dccaf42e06cd2af2d12a63089989b1e96ea5afbef2eac47883a7a93b

SHA512
978e161ac5b021861911e3645aabb18fcfe59edaf353bfe65423b5c7bb6bc4dc39e0480c6b6250e365fd766cec49040ab8a5f2e2870c77b3b64fa0298ead2b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
035103f7c2ef83b2de21a8b084931eef

SHA1
0a648deaa8058316543813706e31b65b75fa81d0

SHA256
8a0c5725ecb90dc7e676d248c693d1c52bec5745d7e5f8a299586ee1fc79ef6f

SHA512
1cf30a0c860ff227c88a077c22c24f8c748b7ede552b4c46c104d2ded38d107c3562aaa7ed41ef54e0e828f88180a0f0af1e138457a46dbdde36c5bc04e656d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
77cbb37fcdafad883b7f71aaa659c9e4

SHA1
9897f83221be968a7d394ac6cb609c8365997dfa

SHA256
d0729d596b0744f00ddf0a15b18048a30fd0c84bff043a6fceebcb263554047c

SHA512
479c09322e78846301cdc59b539f1ef176da5370bfa173a08ca15ac6bc5d3aecf48b569858bcb9e9c7156c6d2a8a528d6e15c990d8bbf8f991a11cb63da46b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4a039d57373d5cbe86cebe64a65a24db

SHA1
929e50b1da4b1b5a328cd30f0fc8269b79160fff

SHA256
ae29f3526bd4151815bb50ff0c46a69b9c0aa6766f739052ea4313f832b7d313

SHA512
4ef88679b8a5d43077e5f72fb2ab683f87636d2c52c401c6f8b2109b197d06b050f65e33a1a6920ebb25f1617ca90e893e6a95e9871038b8856e07658b02c7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
28f20e0218759b5bc235277876972fba

SHA1
d4f50bd2b64b1a5db23d462f26f5eb71cfb5cec4

SHA256
0bb52b2e39d955174d48e03859c4d8ee3145643abc71142f0ab5b09f081d0d9c

SHA512
01999fe8089586ff9f4b130c3e35b18131c38f1b9c4559da76ba8239f39d85d870293c51a6a6f8f6353ca27061e453b6a70b3eae7047d889608017f09dc2f621

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7a335b9630428b07c2979005059a3365

SHA1
e64f7440ae9fc4447449c13f174c0220504c0fcc

SHA256
3b64b5b0e8ec1164e5590851ce6cff988ed0ae6d0f0fc4e927e6c2564a7005a8

SHA512
78e49fe7249f9eb6549bf1b146865c7e2c0f0d8f2d6d7e8183335e2a61c2421f2749ec50e61b823392ca0b6c46d2b2e25ebb6f6251257c5000e013f2e502f0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dd135b0fbb1ef17309d370ff87f0adcd

SHA1
130beb9a840bf403feee216b983851f9859ced70

SHA256
3d9a26e19c71540af793ea445773736ac4f796178e1cddb353139f5a1d26013e

SHA512
8d60f092d33a6c250f4c2f712dc1abf5f023a5892c3d812278801db9546023a9f2cf502c2d358c63d665472a2b1c7e3a5d418568b015db19ef2fbbe75d8dd524

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c94f159b85ffb38811685befc6c51fb2

SHA1
7199a6e9b880033915d44f6259fa6bd30a8116b6

SHA256
572f55cad6fe1050b3c4c331f359980958cca2192ece9138e635bf367d95be10

SHA512
76c257e8302d789b242362b0de968f7f4e14ccd16382823bb7ea210c1afa6d26d5d7ea28e89e083bd25f3f09729ba4dd090617c83189d373fa9c63d784306a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8a07106512f67ed94a5209c767547b13

SHA1
ed01df5d04f4daa1b9892f4e40f984a3ae83bdd2

SHA256
96e0be16331ad3d8d60889df5a5f7a0f79e9a524fed1510a78ae2ac183253ac7

SHA512
bf9d97913121f50d41d19ccc786a9bb1113a2a53530d4e139c4d1315d5756c159df9832a957f134161086cd2c1ff52bc4d74b3a41770600e500aab5d224096d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
50762ce8d681736fbf830221740b1dd7

SHA1
fb991260b3bb525e7ea6b67cb6603ccc5740e51f

SHA256
a430608d5bf4781d4fb0cd845552ddf27ab03bc363c7e1aa312b980724ae416a

SHA512
0b6b68595852a8f9ab56bd2ed21fdf9d1ed122cd2241d73e611845ba7546e6c33b7279d5a446491281264bf5b984894047a6d4b4605fddc18cdf9d124e6229be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ef0e8a082f6fd5f91cfb59bbdd325acd

SHA1
246c2c5b4b392d12d5c5bbfa0aef35faebad645d

SHA256
ae125d2982f99c3ba208a8bebcf00a17290090969b442a5192fc745cc5990a9e

SHA512
f5641e9bf71036d1c8a6ed85c218a9e1766bf5ef6daa1c021e6338664b104c896d9f1c7365fa1f070fb44b0c066ab5f7420ccd1e7e1736f3c041a292dc313737

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
128528450d492c8ef7e3f05a16c29853

SHA1
a39a7482773696ca1bce078b03af8f226d34a469

SHA256
5be58541b77a5d9e2bff46bfc28f5397ddb180e784baadfb2246034ba7e40536

SHA512
3007f3871955d6d68c1adbefcd513d1e7505b8b6110af42d0b3ed9a6046c4c5254506b497247102a2884b58dafa7df613ede1643f9ac33c229676e9294fbd5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
82bcd98bb6c7d5b189663ae81ea1af06

SHA1
7c2fc023803f980793566861124d2acd3a6851a0

SHA256
6d8f51c3c4effe9795a798fa871239f855ef2a41e9b67ac46724940690e09a4e

SHA512
90f638936b3fd725a317508b7f5ef480742067851bbd6012ae0ee05ffd95b2e17eb730399dbce23453ffa24348e905d77ef7822f7986ba7bc697f28c8274e411

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
912db37d25be48d4e9b9e99855401d54

SHA1
fb59ebe94a410ea30958287ccec4ab6d3fb5d16c

SHA256
e1ab5fdf81dd40ee53fb6fc468c2046cb2341a82c98c34e85a555f5407957213

SHA512
4feacad653c852f8af04429dc6cac3519cd1dcd27236a1513902a931c671a3e88712a0fb7c47d690f3e8b665938219fcf8c0e9de4905d900ea79876260349ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
351312f27bcbb572a6ee4070333ae370

SHA1
d730ebe5861192a83deb3c42a037af37790035b2

SHA256
368e3dcff7b855b5bbfb655d8d99e19826cd4e63dba9dfbc3b77062a088d59dd

SHA512
e0b3f475ac43885e12b7a29050849f02b51f0f1bbe9d41a1a33f7871f546ed98c1ed4b2b0bf334eaec9746c2b03ebd7a6ab058b66e7b572c7dbc6cd29fe764e6

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\install\crss.exe

Filesize
879KB

MD5
b833c6c71cd762a1e36074317376e0c8

SHA1
ea7d7c2bd281319c26e3dd39d1d8947bdd39729b

SHA256
1e3c6f17b1489312bac21f5c9e9c49e35f1cb137532aec6eb38bb2eb84e508f2

SHA512
c87a59c77b5937b647e6c7fc5b82655b24ba0e233ae7a90d639ab3dbf88a6e19a45f356947adf11e3f5e37efe82df00841d87ca6ccef3b7503cc2a0d5d854592

Download Submit
\??\c:\users\admin\appdata\local\temp\6EF69DFE

Filesize
14B

MD5
b35e8dacf79e7b938158404de13a5ff0

SHA1
42317db54e891530e093acae9ef8cac1ac2bc458

SHA256
2f2992ecc5ef905a56fee35633835ac64a7afa01683e438dff92c77e8c3d1364

SHA512
7890cb55d74bf5905d766c10fac48f7aa795e01973eff188447d2e61e64efdd74afc24773b4d56055b26da6328f833b664a48051221c82d9e1a9d9526ed260c6

Download Submit
memory/408-38-0x0000000000400000-0x000000000079D000-memory.dmp

Filesize
3.6MB

Download
memory/1992-43-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1992-139-0x0000000000400000-0x000000000079D000-memory.dmp

Filesize
3.6MB

Download
memory/1992-42-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2100-106-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2100-35-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2100-37-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2100-41-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2100-34-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2460-0-0x0000000000400000-0x000000000079D000-memory.dmp

Filesize
3.6MB

Download
memory/2460-8-0x0000000000400000-0x000000000079D000-memory.dmp

Filesize
3.6MB

Download
memory/2664-10-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2664-9-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2664-7-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2664-24-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2664-4-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3076-136-0x0000000000400000-0x000000000079D000-memory.dmp

Filesize
3.6MB

Download
memory/3360-21-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3496-134-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads