cybergate | 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725

Analysis

max time kernel
152s
max time network
107s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
Size

492KB
MD5

524a63a2f02d538858d2e5fc224462f4
SHA1

442c8efab4ca9ec82410debf94a67287875e819e
SHA256

9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725
SHA512

1362a2e3ff7c745963db07120d012b537e778cda0a2c7e2726e1eb0937285316e6d31d2f60f4d2b2f9be447baed101ad2b1a864c2ba9a65d452bc7bb8114e7e7
SSDEEP

12288:amyzOwFIOBRa8Rj8XUdtlA9W/cKoDLwBoNVbfahf:ByzOOBkw+0Z2MeNVTahf

Score

10^/10

cybergate remote bootkit persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

remote

dioslipper.no-ip.org:3460

Mutex

8W7O0NQ17EG0CJ

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
expIorer.exe
install_dir
treiber
install_file
driver.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCUx1
regkey_hklm
HKLMx1

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\treiber\\driver.exe"	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\treiber\\driver.exe"	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{027X7LMS-4E07-7275-6S56-W3X28IVH6L6P}	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{027X7LMS-4E07-7275-6S56-W3X28IVH6L6P}\StubPath = "c:\\treiber\\driver.exe Restart"	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{027X7LMS-4E07-7275-6S56-W3X28IVH6L6P}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{027X7LMS-4E07-7275-6S56-W3X28IVH6L6P}\StubPath = "c:\\treiber\\driver.exe"	explorer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2028-84-0x0000000010410000-0x0000000010482000-memory.dmp	upx
behavioral1/memory/2028-93-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/1392-98-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/1392-101-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/2028-103-0x0000000000220000-0x0000000000292000-memory.dmp	upx
behavioral1/memory/2028-104-0x0000000000220000-0x0000000000292000-memory.dmp	upx
behavioral1/memory/2028-106-0x0000000000220000-0x0000000000292000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCUx1 = "c:\\treiber\\driver.exe"	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLMx1 = "c:\\treiber\\driver.exe"	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 684 set thread context of 1960	684	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	28
PID 1960 set thread context of 2028	1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1392	explorer.exe
Token: SeRestorePrivilege	1392	explorer.exe
Token: SeBackupPrivilege	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
Token: SeRestorePrivilege	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
Token: SeDebugPrivilege	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
Token: SeDebugPrivilege	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
684	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 1960	684	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	28
PID 684 wrote to memory of 1960	684	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	28
PID 684 wrote to memory of 1960	684	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	28
PID 684 wrote to memory of 1960	684	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	28
PID 684 wrote to memory of 1960	684	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	28
PID 684 wrote to memory of 1960	684	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	28
PID 684 wrote to memory of 1960	684	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	28
PID 684 wrote to memory of 1960	684	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	28
PID 684 wrote to memory of 1960	684	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	28
PID 1960 wrote to memory of 2028	1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	29
PID 1960 wrote to memory of 2028	1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	29
PID 1960 wrote to memory of 2028	1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	29
PID 1960 wrote to memory of 2028	1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	29
PID 1960 wrote to memory of 2028	1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	29
PID 1960 wrote to memory of 2028	1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	29
PID 1960 wrote to memory of 2028	1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	29
PID 1960 wrote to memory of 2028	1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	29
PID 1960 wrote to memory of 2028	1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	29
PID 1960 wrote to memory of 2028	1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	29
PID 1960 wrote to memory of 2028	1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	29
PID 1960 wrote to memory of 2028	1960	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	29
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18
PID 2028 wrote to memory of 1256	2028	9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe	18

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
  "C:\Users\Admin\AppData\Local\Temp\9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\AppData\Local\Temp\9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
    "C:\Users\Admin\AppData\Local\Temp\9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
      "C:\Users\Admin\AppData\Local\Temp\9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe"
      4⤵
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Modifies Installed Components in the registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
236KB

MD5
43b7ac05d53a42d8881b0b8333c874c0

SHA1
1580f5ec4b3db5c931b851689e5aa9eff8c83f37

SHA256
1b4706987b50f627983d0878df4c094a48647be90a793c262d9e0a078e0dfc9c

SHA512
dac29f039eb09ab0066437802f2088a2ae28636372d3809885194b9f8388fd6434ce00b95fdbc24ef335bc9f683501d1e7c5d7b59631b40f00142cd2d2a4ff89

Download Submit
\??\c:\treiber\driver.exe

Filesize
492KB

MD5
524a63a2f02d538858d2e5fc224462f4

SHA1
442c8efab4ca9ec82410debf94a67287875e819e

SHA256
9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725

SHA512
1362a2e3ff7c745963db07120d012b537e778cda0a2c7e2726e1eb0937285316e6d31d2f60f4d2b2f9be447baed101ad2b1a864c2ba9a65d452bc7bb8114e7e7

Download Submit
memory/1256-87-0x0000000010410000-0x0000000010482000-memory.dmp

Filesize
456KB

Download
memory/1392-91-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1392-92-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1392-101-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/1392-98-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/1960-62-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1960-69-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1960-56-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1960-59-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1960-57-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1960-80-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2028-81-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2028-93-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/2028-82-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2028-84-0x0000000010410000-0x0000000010482000-memory.dmp

Filesize
456KB

Download
memory/2028-77-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2028-75-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2028-74-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2028-73-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2028-79-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2028-72-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2028-71-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2028-68-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2028-67-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2028-103-0x0000000000220000-0x0000000000292000-memory.dmp

Filesize
456KB

Download
memory/2028-104-0x0000000000220000-0x0000000000292000-memory.dmp

Filesize
456KB

Download
memory/2028-105-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2028-106-0x0000000000220000-0x0000000000292000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads