cybergate | 91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f

General

Target

91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
Size

457KB
MD5

76c5a8145c450cc948ee193a3c3ba1c7
SHA1

07522978ac0c1d95d025937776fabb8386c95482
SHA256

91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f
SHA512

fc8bbc6f53987ad37e040961ee60dc8fe9d45aba9ed633f1c11565d832820adfe94d4db1f8d29236b41e478793b0b052f248dcbeaf6353d80fde376e69284a7d
SSDEEP

12288:Q1+bhNofZJtELfbEZlBPsxgaH8ZujeAVO9EHTdkx:KaNaLCT+l9sx98ZujewaEWx

Score

10^/10

cybergate victime persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

victime

C2

farfouch-hacker.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe

Executes dropped EXE 2 IoCs

Processes:

server.exeserver.exe

pid process

1488 server.exe
1928 server.exe

pid	process
1488	server.exe
1928	server.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart"	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1780-55-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1780-58-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1780-60-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1780-64-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1780-66-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1780-65-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1780-70-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1780-76-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1804-81-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1928-100-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1928-101-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1928-102-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1804-104-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1804-106-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe

pid	process
1804	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
1804	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exeserver.exe

description	pid	process	target process
PID 1884 set thread context of 1780	1884	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
PID 1488 set thread context of 1928	1488	server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe

pid process

1780 91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe

pid process

1804 91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe

pid	process
1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe

description	pid	process
Token: SeDebugPrivilege	1804	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
Token: SeDebugPrivilege	1804	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe

description	pid	process	target process
PID 1884 wrote to memory of 1780	1884	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
PID 1884 wrote to memory of 1780	1884	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
PID 1884 wrote to memory of 1780	1884	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
PID 1884 wrote to memory of 1780	1884	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
PID 1884 wrote to memory of 1780	1884	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
PID 1884 wrote to memory of 1780	1884	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
PID 1884 wrote to memory of 1780	1884	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
PID 1884 wrote to memory of 1780	1884	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe
PID 1780 wrote to memory of 2008	1780	91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
"C:\Users\Admin\AppData\Local\Temp\91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
C:\Users\Admin\AppData\Local\Temp\91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe
"C:\Users\Admin\AppData\Local\Temp\91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\dir\install\install\server.exe
"C:\dir\install\install\server.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1488

C:\dir\install\install\server.exe
C:\dir\install\install\server.exe
5⤵
- Executes dropped EXE
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
230KB

MD5
823069f778374372cbbcd0a916383188

SHA1
a4bc29a62f342530c77b3e13384d0a755d7a96d0

SHA256
6584ee93f93d55bee0aa623ef83bc314a8aecf3af1c58773171d4693e4278225

SHA512
0c5b40a26877f5dcdcc799248455313ac0938312d100993b9fdab9fbe858be7ec93160014b559fcfede6bf16f26af4e42e28bd24865e2046641ffa11462d8580

Download Submit
C:\dir\install\install\server.exe
Filesize
457KB

MD5
76c5a8145c450cc948ee193a3c3ba1c7

SHA1
07522978ac0c1d95d025937776fabb8386c95482

SHA256
91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f

SHA512
fc8bbc6f53987ad37e040961ee60dc8fe9d45aba9ed633f1c11565d832820adfe94d4db1f8d29236b41e478793b0b052f248dcbeaf6353d80fde376e69284a7d

Download Submit
C:\dir\install\install\server.exe
Filesize
457KB

MD5
76c5a8145c450cc948ee193a3c3ba1c7

SHA1
07522978ac0c1d95d025937776fabb8386c95482

SHA256
91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f

SHA512
fc8bbc6f53987ad37e040961ee60dc8fe9d45aba9ed633f1c11565d832820adfe94d4db1f8d29236b41e478793b0b052f248dcbeaf6353d80fde376e69284a7d

Download Submit
C:\dir\install\install\server.exe
Filesize
457KB

MD5
76c5a8145c450cc948ee193a3c3ba1c7

SHA1
07522978ac0c1d95d025937776fabb8386c95482

SHA256
91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f

SHA512
fc8bbc6f53987ad37e040961ee60dc8fe9d45aba9ed633f1c11565d832820adfe94d4db1f8d29236b41e478793b0b052f248dcbeaf6353d80fde376e69284a7d

Download Submit
\dir\install\install\server.exe
Filesize
457KB

MD5
76c5a8145c450cc948ee193a3c3ba1c7

SHA1
07522978ac0c1d95d025937776fabb8386c95482

SHA256
91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f

SHA512
fc8bbc6f53987ad37e040961ee60dc8fe9d45aba9ed633f1c11565d832820adfe94d4db1f8d29236b41e478793b0b052f248dcbeaf6353d80fde376e69284a7d

Download Submit
\dir\install\install\server.exe
Filesize
457KB

MD5
76c5a8145c450cc948ee193a3c3ba1c7

SHA1
07522978ac0c1d95d025937776fabb8386c95482

SHA256
91c26835138ea6be11d9df5aa21a8f020584647621b6252f06a10b0ada7b598f

SHA512
fc8bbc6f53987ad37e040961ee60dc8fe9d45aba9ed633f1c11565d832820adfe94d4db1f8d29236b41e478793b0b052f248dcbeaf6353d80fde376e69284a7d

Download Submit
memory/1488-87-0x0000000000000000-mapping.dmp

Download
memory/1780-82-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1780-65-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1780-67-0x0000000000412000-0x0000000000457000-memory.dmp

Filesize
276KB

Download
memory/1780-68-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1780-70-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1780-55-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1780-76-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1780-60-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1780-58-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1780-54-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1780-66-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1780-63-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1780-64-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1780-62-0x0000000000455EA0-mapping.dmp

Download
memory/1804-79-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1804-81-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1804-74-0x0000000000000000-mapping.dmp

Download
memory/1804-104-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1804-106-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1928-97-0x0000000000455EA0-mapping.dmp

Download
memory/1928-100-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1928-101-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1928-102-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1928-103-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1928-105-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads