cybergate | a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd

General

Target

a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe
Size

280KB
MD5

d9cdac6b76c19890fa4425331194d053
SHA1

93a4d30ef16af550827d7c5a0ab7267a8b6e6910
SHA256

a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd
SHA512

791ef5a90c906d2128e099406789ed7cee2568139d70f5f7f1fbbe1adabfa5c2326d0b6f1aaba975a7f58e86b5735117849c5894d58750f04002a4f85efd8e6f
SSDEEP

6144:O3LZcsxZZQttyCVxaWYSdMU/77hlruc6XmDoTbcI7CPPd5:KqeAtpVxagMU/plruchDofAP/

Score

10^/10

cybergate slave persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

Slave

C2

twoshank.no-ip.info:82

Mutex

VC2XAYOA2N8X73

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
winlog.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
abc123

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\winlog.exe"	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\winlog.exe"	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

Executes dropped EXE 2 IoCs

Processes:

winlog.exewinlog.exe

pid process

1652 winlog.exe
1864 winlog.exe

pid	process
1652	winlog.exe
1864	winlog.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{S20J5FVE-M4MQ-XDXF-4LHG-3WT42HJ7D2P7}	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{S20J5FVE-M4MQ-XDXF-4LHG-3WT42HJ7D2P7}\StubPath = "C:\\Windows\\system32\\install\\winlog.exe Restart"	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1180-56-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral1/memory/1180-62-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral1/memory/824-67-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral1/memory/824-80-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral1/memory/824-81-0x0000000024070000-0x00000000240CF000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exea5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

pid	process
824	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe
1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe
1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe
824	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

Drops file in System32 directory 2 IoCs

Processes:

a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\install\winlog.exe	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe
File opened for modification	C:\Windows\SysWOW64\install\winlog.exe	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

pid process

1180 a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

pid process

824 a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

pid	process
1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

description	pid	process
Token: SeDebugPrivilege	824	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe
Token: SeDebugPrivilege	824	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

pid process

1180 a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

pid	process
1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe

description	pid	process	target process
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe
PID 1180 wrote to memory of 1308	1180	a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe	iexplore.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe
"C:\Users\Admin\AppData\Local\Temp\a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe"
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1180

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe
"C:\Users\Admin\AppData\Local\Temp\a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\install\winlog.exe
"C:\Windows\system32\install\winlog.exe"
4⤵
- Executes dropped EXE
PID:1864

C:\Windows\SysWOW64\install\winlog.exe
"C:\Windows\system32\install\winlog.exe"
3⤵
- Executes dropped EXE
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
219KB

MD5
31be9ed2b3007ff15f9cf858968a793e

SHA1
ec852ea276d0b71cff02b3a9bfe18dcd682586f7

SHA256
4ef5a1d403d1192ed025ce9e89b540547ba598cf283b73e20cb333c8c4d761cf

SHA512
ee766b0975a8444de8ce2659a618492fbe9efa005f7f7f9d353ade68ea4a767e4661df6ebeb2cac07a00a5944f4e39d76fc352cc6d6aff296094994e80788d08

Download Submit
C:\Windows\SysWOW64\install\winlog.exe
Filesize
280KB

MD5
d9cdac6b76c19890fa4425331194d053

SHA1
93a4d30ef16af550827d7c5a0ab7267a8b6e6910

SHA256
a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd

SHA512
791ef5a90c906d2128e099406789ed7cee2568139d70f5f7f1fbbe1adabfa5c2326d0b6f1aaba975a7f58e86b5735117849c5894d58750f04002a4f85efd8e6f

Download Submit
C:\Windows\SysWOW64\install\winlog.exe
Filesize
280KB

MD5
d9cdac6b76c19890fa4425331194d053

SHA1
93a4d30ef16af550827d7c5a0ab7267a8b6e6910

SHA256
a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd

SHA512
791ef5a90c906d2128e099406789ed7cee2568139d70f5f7f1fbbe1adabfa5c2326d0b6f1aaba975a7f58e86b5735117849c5894d58750f04002a4f85efd8e6f

Download Submit
C:\Windows\SysWOW64\install\winlog.exe
Filesize
280KB

MD5
d9cdac6b76c19890fa4425331194d053

SHA1
93a4d30ef16af550827d7c5a0ab7267a8b6e6910

SHA256
a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd

SHA512
791ef5a90c906d2128e099406789ed7cee2568139d70f5f7f1fbbe1adabfa5c2326d0b6f1aaba975a7f58e86b5735117849c5894d58750f04002a4f85efd8e6f

Download Submit
\Windows\SysWOW64\install\winlog.exe
Filesize
280KB

MD5
d9cdac6b76c19890fa4425331194d053

SHA1
93a4d30ef16af550827d7c5a0ab7267a8b6e6910

SHA256
a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd

SHA512
791ef5a90c906d2128e099406789ed7cee2568139d70f5f7f1fbbe1adabfa5c2326d0b6f1aaba975a7f58e86b5735117849c5894d58750f04002a4f85efd8e6f

Download Submit
\Windows\SysWOW64\install\winlog.exe
Filesize
280KB

MD5
d9cdac6b76c19890fa4425331194d053

SHA1
93a4d30ef16af550827d7c5a0ab7267a8b6e6910

SHA256
a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd

SHA512
791ef5a90c906d2128e099406789ed7cee2568139d70f5f7f1fbbe1adabfa5c2326d0b6f1aaba975a7f58e86b5735117849c5894d58750f04002a4f85efd8e6f

Download Submit
\Windows\SysWOW64\install\winlog.exe
Filesize
280KB

MD5
d9cdac6b76c19890fa4425331194d053

SHA1
93a4d30ef16af550827d7c5a0ab7267a8b6e6910

SHA256
a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd

SHA512
791ef5a90c906d2128e099406789ed7cee2568139d70f5f7f1fbbe1adabfa5c2326d0b6f1aaba975a7f58e86b5735117849c5894d58750f04002a4f85efd8e6f

Download Submit
\Windows\SysWOW64\install\winlog.exe
Filesize
280KB

MD5
d9cdac6b76c19890fa4425331194d053

SHA1
93a4d30ef16af550827d7c5a0ab7267a8b6e6910

SHA256
a5f1b1a528e2cf138ab966abb46069a01f8ba4f62009b91a5ef572e03c6595fd

SHA512
791ef5a90c906d2128e099406789ed7cee2568139d70f5f7f1fbbe1adabfa5c2326d0b6f1aaba975a7f58e86b5735117849c5894d58750f04002a4f85efd8e6f

Download Submit
memory/824-67-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/824-65-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/824-60-0x0000000000000000-mapping.dmp

Download
memory/824-80-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/824-81-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/1180-62-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/1180-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1180-56-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/1652-73-0x0000000000000000-mapping.dmp

Download
memory/1864-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads