cybergate | 5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

Analysis

max time kernel
179s
max time network
101s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
Size

652KB
MD5

4b328465fa5c96d11bef876bcf9fc55f
SHA1

f5b9d8710b6fc5490872019cb32666ebbf64c64d
SHA256

5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73
SHA512

9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11
SSDEEP

12288:pb6lQ4dLOSwCDfJqlE6uGiGSAlVLuBRzXA2oAMHVB66EYAUTS9D/ksSzQR2:xWLtwCc26uGi2VCHXSBzTaDMsAQR2

Score

10^/10

cybergate vítima persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

127.0.0.1:1000

glider.no-ip.biz:1000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Svchost
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Svchost\\server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Svchost\\server.exe"	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Svchost\\server.exe"	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Svchost\\server.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Svchost\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Svchost\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost\\server.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Svchost\\server.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Svchost\\server.exe"	server.exe

Executes dropped EXE 8 IoCs

pid	Process
2924	server.exe
4124	server.exe
4240	server.exe
4272	server.exe
5396	server.exe
6992	server.exe
1564	server.exe
3320	server.exe

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6414FEGH-54KR-QUHB-2IS2-0403EK6618H0}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6414FEGH-54KR-QUHB-2IS2-0403EK6618H0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost\\server.exe Restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6414FEGH-54KR-QUHB-2IS2-0403EK6618H0}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6414FEGH-54KR-QUHB-2IS2-0403EK6618H0}\StubPath = "C:\\Windows\\SysWOW64\\Svchost\\server.exe Restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6414FEGH-54KR-QUHB-2IS2-0403EK6618H0}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6414FEGH-54KR-QUHB-2IS2-0403EK6618H0}\StubPath = "C:\\Windows\\SysWOW64\\Svchost\\server.exe Restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6414FEGH-54KR-QUHB-2IS2-0403EK6618H0}	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6414FEGH-54KR-QUHB-2IS2-0403EK6618H0}\StubPath = "C:\\Windows\\system32\\Svchost\\server.exe Restart"	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6414FEGH-54KR-QUHB-2IS2-0403EK6618H0}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6414FEGH-54KR-QUHB-2IS2-0403EK6618H0}\StubPath = "C:\\Windows\\system32\\Svchost\\server.exe"	explorer.exe

Loads dropped DLL 15 IoCs

pid	Process
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
624	explorer.exe
3216	WerFault.exe
3216	WerFault.exe
7116	WerFault.exe
7116	WerFault.exe
7116	WerFault.exe
3216	WerFault.exe
2976	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Svchost\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Svchost\\server.exe"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Svchost\\server.exe"	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Svchost\\server.exe"	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Svchost\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Svchost\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Svchost\\server.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Svchost\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	server.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Svchost\server.exe	server.exe
File created	C:\Windows\SysWOW64\Svchost\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Svchost\server.exe	server.exe
File created	C:\Windows\SysWOW64\Svchost\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Svchost\	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
File created	C:\Windows\SysWOW64\Svchost\server.exe	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
File opened for modification	C:\Windows\SysWOW64\Svchost\server.exe	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
File opened for modification	C:\Windows\SysWOW64\Svchost\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Svchost\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Svchost\server.exe	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
7116	4240	WerFault.exe	35
3216	1564	WerFault.exe	41

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2976	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
Token: SeDebugPrivilege	2976	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16
PID 1936 wrote to memory of 1432	1936	5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe	16

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1432
- C:\Users\Admin\AppData\Local\Temp\5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
  "C:\Users\Admin\AppData\Local\Temp\5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe"
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Adds Run key to start application
    PID:624
  - - C:\Windows\SysWOW64\Svchost\server.exe
      "C:\Windows\system32\Svchost\server.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in System32 directory
      PID:2924
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4188
    - - C:\Windows\SysWOW64\Svchost\server.exe
        
        "C:\Windows\SysWOW64\Svchost\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:4272
  - - C:\Windows\SysWOW64\Svchost\server.exe
      "C:\Windows\system32\Svchost\server.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in System32 directory
      PID:4124
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4172
    - - C:\Windows\SysWOW64\Svchost\server.exe
        
        "C:\Windows\SysWOW64\Svchost\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:4240
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 272
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:7116
  - - C:\Windows\SysWOW64\Svchost\server.exe
      "C:\Windows\system32\Svchost\server.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in System32 directory
      PID:5396
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:876
    - - C:\Windows\SysWOW64\Svchost\server.exe
        
        "C:\Windows\SysWOW64\Svchost\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:1564
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 500
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:3216
  - - C:\Windows\SysWOW64\Svchost\server.exe
      "C:\Windows\system32\Svchost\server.exe"
      4⤵
      Executes dropped EXE
      PID:6992
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2908
- - C:\Users\Admin\AppData\Local\Temp\5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe
    "C:\Users\Admin\AppData\Local\Temp\5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
  - - C:\Windows\SysWOW64\Svchost\server.exe
      "C:\Windows\SysWOW64\Svchost\server.exe"
      4⤵
      Executes dropped EXE
      PID:3320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
f132ae7654fbcd48666ca0dd71566baa

SHA1
442f5f24e20009abe0ea9c724060aa13a14d4260

SHA256
efe0c0e8cfbebeb2cb8f2304308d52a7d21f46bafd912cc217ad33a2f8f73ad7

SHA512
b7d08dbc9a23c98ab839502d2684df99292b2fef7402ecddb63a7f2d50507b3ab445caf067f8ed4b2696376da2155d655a6921eaa8743660461d5678e1bff8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
f132ae7654fbcd48666ca0dd71566baa

SHA1
442f5f24e20009abe0ea9c724060aa13a14d4260

SHA256
efe0c0e8cfbebeb2cb8f2304308d52a7d21f46bafd912cc217ad33a2f8f73ad7

SHA512
b7d08dbc9a23c98ab839502d2684df99292b2fef7402ecddb63a7f2d50507b3ab445caf067f8ed4b2696376da2155d655a6921eaa8743660461d5678e1bff8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
f8cdfb16abb7b6f3bd9888de952e74f7

SHA1
4399d35fb9ae3025683824c8dd02861b63779743

SHA256
784019a12c3fd74d9b0224e916582ec91281a93e2487de61e76505070dd81cf0

SHA512
79e333201b1bed9c1c07e258ba26a3d4278379d65956d238b5f3174afd64bc5d8b37023b1246b08d4fc4beffc4b59b8a933861bb7c1311d9f8ca3969bb2dca04

Download Submit
C:\Users\Admin\AppData\Roaming\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
C:\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
C:\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
C:\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
C:\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
C:\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
C:\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
C:\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
C:\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
C:\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
\Windows\SysWOW64\Svchost\server.exe

Filesize
652KB

MD5
4b328465fa5c96d11bef876bcf9fc55f

SHA1
f5b9d8710b6fc5490872019cb32666ebbf64c64d

SHA256
5431187dc44b05fd42ef9eb30c8704bc42e076de2d92991b1a1d320ae0e14d73

SHA512
9ffd12438c05b2340dca5e837dce3feb3e0265e2ce09c964f7a5c28158f6ee555040bc586ef0bbab25beb1aad6413b506d4dd445013af730ec1ade7127d63d11

Download Submit
memory/624-207-0x0000000008B00000-0x0000000008BAC000-memory.dmp

Filesize
688KB

Download
memory/624-68-0x00000000746B1000-0x00000000746B3000-memory.dmp

Filesize
8KB

Download
memory/624-107-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/624-104-0x0000000008B00000-0x0000000008BAC000-memory.dmp

Filesize
688KB

Download
memory/624-95-0x0000000008B00000-0x0000000008BAC000-memory.dmp

Filesize
688KB

Download
memory/624-94-0x0000000008B00000-0x0000000008BAC000-memory.dmp

Filesize
688KB

Download
memory/624-174-0x0000000008B00000-0x0000000008BAC000-memory.dmp

Filesize
688KB

Download
memory/624-206-0x0000000008B00000-0x0000000008BAC000-memory.dmp

Filesize
688KB

Download
memory/624-77-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/1432-63-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/1564-200-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/1564-215-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/1564-186-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1936-84-0x00000000104D0000-0x000000001052C000-memory.dmp

Filesize
368KB

Download
memory/1936-69-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/1936-153-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1936-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1936-103-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1936-136-0x0000000010530000-0x000000001058C000-memory.dmp

Filesize
368KB

Download
memory/1936-57-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/1936-55-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2924-140-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/2924-173-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2924-96-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2976-199-0x0000000010530000-0x000000001058C000-memory.dmp

Filesize
368KB

Download
memory/2976-217-0x000000000ABB0000-0x000000000AC5C000-memory.dmp

Filesize
688KB

Download
memory/2976-163-0x0000000010530000-0x000000001058C000-memory.dmp

Filesize
368KB

Download
memory/2976-97-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3320-216-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3320-214-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4124-147-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/4124-161-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4124-105-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4240-188-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4240-164-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/4240-132-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4272-134-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/5396-189-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/5396-135-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/5396-198-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/6992-187-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/6992-175-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads