cybergate | 813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242

General

Target

813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
Size

431KB
MD5

e0bb084cee8de5d16f817283ad8c799f
SHA1

7d1ae37b26406bf03b39b3b35da4fd2c897f5b1e
SHA256

813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242
SHA512

fac101a5592bbb53e37062057321a08d3a0b931f244dcebf9cfdb26fd6023effd258cc2d77697798635ede9ababf1867b7dda3f54411a0220570fb23890f07e6
SSDEEP

12288:OAarz4BkDPQqeJLHAY4m7Bszl15WyN6ehat/F:Xarz4BGQBt4BfWq6MG

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

wwc.ddns.net:81

Mutex

U11R10TOVBKO35

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1568 server.exe

pid	process
1568	server.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8PX51F1N-RG6C-A7N1-LU3N-U67U6N138S1S}	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8PX51F1N-RG6C-A7N1-LU3N-U67U6N138S1S}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8PX51F1N-RG6C-A7N1-LU3N-U67U6N138S1S}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8PX51F1N-RG6C-A7N1-LU3N-U67U6N138S1S}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe"	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1448-64-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1448-73-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/1976-78-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/1976-81-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/1448-83-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral1/memory/1448-90-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral1/memory/1820-95-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral1/memory/1820-96-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral1/memory/1820-103-0x0000000010560000-0x00000000105D0000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

1820 explorer.exe
Loads dropped DLL 1 IoCs

Processes:

813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

pid process

1448 813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

pid	process
1820	explorer.exe

pid	process
1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

description	pid	process	target process
PID 1372 set thread context of 1448	1372	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

pid process

1448 813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 1820 explorer.exe
Token: SeDebugPrivilege 1820 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

pid process

1448 813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

pid	process
1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

description	pid	process
Token: SeDebugPrivilege	1820	explorer.exe
Token: SeDebugPrivilege	1820	explorer.exe

pid	process
1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

description	pid	process	target process
PID 1372 wrote to memory of 1448	1372	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
PID 1372 wrote to memory of 1448	1372	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
PID 1372 wrote to memory of 1448	1372	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
PID 1372 wrote to memory of 1448	1372	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
PID 1372 wrote to memory of 1448	1372	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
PID 1372 wrote to memory of 1448	1372	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE
PID 1448 wrote to memory of 1384	1448	813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
"C:\Users\Admin\AppData\Local\Temp\813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
C:\Users\Admin\AppData\Local\Temp\813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:1976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1464

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
4⤵
- Executes dropped EXE
PID:1568

C:\directory\CyberGate\install\server.exe
C:\directory\CyberGate\install\server.exe
5⤵
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
385KB

MD5
37586b75bce43253652b6dc2c155368e

SHA1
c7ea946db305085fb12ef82cfee9985a07f7e6cc

SHA256
7dea84488916afec00db65ff9e1b28f4862cd52bd7ddc6011ae84be89dbafde9

SHA512
fb3f5ee53c2b7879a904764f92907747272ed99f5d487699cd36c9872a2113a2e9e05c21cd4649b91ff5a1afb441211ab00b3e469642677fa110d1507347e6d6

Download Submit
C:\directory\CyberGate\install\server.exe

Filesize
431KB

MD5
e0bb084cee8de5d16f817283ad8c799f

SHA1
7d1ae37b26406bf03b39b3b35da4fd2c897f5b1e

SHA256
813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242

SHA512
fac101a5592bbb53e37062057321a08d3a0b931f244dcebf9cfdb26fd6023effd258cc2d77697798635ede9ababf1867b7dda3f54411a0220570fb23890f07e6

Download Submit
\??\c:\directory\CyberGate\install\server.exe

Filesize
431KB

MD5
e0bb084cee8de5d16f817283ad8c799f

SHA1
7d1ae37b26406bf03b39b3b35da4fd2c897f5b1e

SHA256
813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242

SHA512
fac101a5592bbb53e37062057321a08d3a0b931f244dcebf9cfdb26fd6023effd258cc2d77697798635ede9ababf1867b7dda3f54411a0220570fb23890f07e6

Download Submit
\directory\CyberGate\install\server.exe

Filesize
431KB

MD5
e0bb084cee8de5d16f817283ad8c799f

SHA1
7d1ae37b26406bf03b39b3b35da4fd2c897f5b1e

SHA256
813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242

SHA512
fac101a5592bbb53e37062057321a08d3a0b931f244dcebf9cfdb26fd6023effd258cc2d77697798635ede9ababf1867b7dda3f54411a0220570fb23890f07e6

Download Submit
memory/1372-55-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/1372-61-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/1372-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1384-67-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1448-62-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1448-64-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1448-100-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1448-73-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1448-56-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1448-60-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1448-58-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1448-83-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/1448-57-0x0000000000409860-mapping.dmp

Download
memory/1448-90-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/1568-102-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-98-0x0000000000000000-mapping.dmp

Download
memory/1820-96-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/1820-95-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/1820-87-0x0000000000000000-mapping.dmp

Download
memory/1820-103-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/1976-81-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1976-78-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1976-72-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1976-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads