cybergate | a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085

General

Target

a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
Size

1.1MB
MD5

69ed0a64f4346cfdf3ff58216fea4cb8
SHA1

1bd2a03cd1c761d4f70383338abe9ca7c96c5f32
SHA256

a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085
SHA512

24a918625ba13d71bcfebf1c51994c44e08f8a92538b8dee681241a6fb65ece2401dc0d02e5b245b7f602bd16d63e388f71e395bc5d20e142305e032b0d435c7
SSDEEP

24576:UZ8kT+thCoNJ4GycFTQhCoNJ4GycFTDLn:88koNJ4GyAT5oNJ4GyATH

Score

10^/10

cybergate victima stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

victima

C2

albertiktn.no-ip.org:81

Mutex

***egbuiertbi***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
svchost.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/620-57-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/620-59-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/620-60-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/620-63-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/620-65-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/620-66-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/620-77-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1532-78-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/620-80-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1532-91-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1532-98-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1312-103-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1532-104-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1312-106-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/620-110-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/620-115-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/584-116-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/472-127-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/472-128-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/472-130-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/584-129-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2032-142-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/472-143-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2032-144-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1312-145-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

explorer.exeDllHost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sexy_girls_wallpaper.jpg	explorer.exe
File opened for modification	C:\Windows\SysWOW64\sexy_girls_wallpaper.jpg	DllHost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exea1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe

description	pid	process	target process
PID 1464 set thread context of 620	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 set thread context of 1532	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1648 set thread context of 472	1648	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1648 set thread context of 2032	1648	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1244 584 WerFault.exe explorer.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1312 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 1312 explorer.exe
Token: SeDebugPrivilege 1312 explorer.exe

pid	pid_target	process	target process
1244	584	WerFault.exe	explorer.exe

pid	process
1312	explorer.exe

description	pid	process
Token: SeDebugPrivilege	1312	explorer.exe
Token: SeDebugPrivilege	1312	explorer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exea1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exeDllHost.exe

pid	process
620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
1532	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
1608	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exea1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe

pid	process
1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
1648	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exea1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe

description	pid	process	target process
PID 1464 wrote to memory of 620	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 620	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 620	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 620	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 620	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 620	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 620	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 620	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 1532	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 1532	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 1532	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 1532	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 1532	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 1532	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 1532	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 1464 wrote to memory of 1532	1464	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE
PID 620 wrote to memory of 1392	620	a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
"C:\Users\Admin\AppData\Local\Temp\a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
C:\Users\Admin\AppData\Local\Temp\a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 524
5⤵
- Program crash
PID:1244

C:\Users\Admin\AppData\Local\Temp\a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
C:\Users\Admin\AppData\Local\Temp\a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
3⤵
- Suspicious use of FindShellTrayWindow
PID:1532

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Users\Admin\AppData\Local\Temp\a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
"C:\Users\Admin\AppData\Local\Temp\a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Users\Admin\AppData\Local\Temp\a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
C:\Users\Admin\AppData\Local\Temp\a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
6⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
C:\Users\Admin\AppData\Local\Temp\a1d3225fe615eff620faf3b35fe2b04e65cf7160705ce76e85382fc84bca2085.exe
6⤵
PID:2032

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
267KB

MD5
e097288bb10661dbf227a6aebb4d56c4

SHA1
85135beda9eee384e8ec40fcb5e823555db7836a

SHA256
521b1bc3f1e6e26e24a526e917993bc34c321a0a14a43cc3d75cb05127ab2fc3

SHA512
5a3e25bbae912ab3ea873ea31cad34b152da371bb4be2d76b355c8eb09e347e3484e8457c90be70292c4051c0a72b6f019c5950597712309592a1507a97331e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\sexy_girls_wallpaper.jpg
Filesize
37KB

MD5
378e5d23411be3a3f90f1ea563322996

SHA1
5b9acea5ac857e433e64a2fa366ea0ccf7d0dc0e

SHA256
b605d4d91f5a8ba127980c8b3b67ab80b800d525990ffdc1c9eb7e63d5234a85

SHA512
7bbe2c6e08c5c04a252834cc9f2e0a328ddf4862545351203df0bfadde0cb3fc39e0133ffadd2534500984769323aaae88a512afe452ea05aab1d52a9fc4ed25

Download Submit
memory/472-128-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/472-127-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/472-124-0x000000000045FEE0-mapping.dmp

Download
memory/472-130-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/472-143-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/584-88-0x0000000074871000-0x0000000074873000-memory.dmp

Filesize
8KB

Download
memory/584-86-0x0000000000000000-mapping.dmp

Download
memory/584-116-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/584-129-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/620-110-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/620-115-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/620-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/620-65-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/620-64-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/620-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/620-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/620-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/620-77-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/620-61-0x000000000045FEE0-mapping.dmp

Download
memory/620-80-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/620-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/620-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1244-117-0x0000000000000000-mapping.dmp

Download
memory/1312-106-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1312-145-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1312-103-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1312-95-0x0000000000000000-mapping.dmp

Download
memory/1532-72-0x000000000045FEE0-mapping.dmp

Download
memory/1532-104-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1532-98-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1532-91-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1532-78-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1648-107-0x0000000000000000-mapping.dmp

Download
memory/2032-136-0x000000000045FEE0-mapping.dmp

Download
memory/2032-142-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2032-144-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads