cybergate | 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d

General

Target

6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
Size

649KB
MD5

28eb2401c10f2877daab62a6e749f6b0
SHA1

64f0e58afc44b1ef387df1d885678a287090a616
SHA256

6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d
SHA512

8671d339192ef77cc3a981ae8efed4d49480bfe2dce4efe4adf1fbda3551e59100aefe2e859d6b3c9fa9c60ff0857ce5c424046a7457e3e50c6d7b164f5a38fb
SSDEEP

6144:gCttNye+9aj4mOfaLzg89Vo/FGR0E7hMI4RJDNN2aXH16aaI6iul9FYLwHeNlllq:b9ROiLisxNMblHEaarFYL2euIzjsUAV

Score

10^/10

cybergate hack persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

hack

C2

ze-hack3r.zapto.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Updater
install_file
Patch.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
This program is corrupted. Please verify all files and retry.
message_box_title
ERROR
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

csc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	csc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Updater\\Patch.exe"	csc.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	csc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Updater\\Patch.exe"	csc.exe

Executes dropped EXE 1 IoCs

Processes:

Patch.exe

pid process

1472 Patch.exe

pid	process
1472	Patch.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

csc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AIO6QTQ-88UI-2SFP-4V3R-T2T38L253QXS}	csc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AIO6QTQ-88UI-2SFP-4V3R-T2T38L253QXS}\StubPath = "C:\\Windows\\system32\\Updater\\Patch.exe Restart"	csc.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1132-78-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1132-84-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/524-89-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/524-96-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/524-99-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

csc.exe

pid process

524 csc.exe

pid	process
524	csc.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

csc.exeWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Updater\\Patch.exe"	csc.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	csc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Updater\\Patch.exe"	csc.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecran = "C:\\Users\\Admin\\AppData\\Roaming\\ecran.exe"	WScript.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csc.exe

Drops file in System32 directory 4 IoCs

Processes:

csc.execsc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Updater\Patch.exe	csc.exe
File opened for modification	C:\Windows\SysWOW64\Updater\Patch.exe	csc.exe
File opened for modification	C:\Windows\SysWOW64\Updater\Patch.exe	csc.exe
File opened for modification	C:\Windows\SysWOW64\Updater\	csc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe

description	pid	process	target process
PID 1556 set thread context of 1132	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe
PID 1556 set thread context of 1596	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.execsc.execsc.exe

pid	process
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1132	csc.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
1596	csc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csc.exe

pid process

524 csc.exe

pid	process
524	csc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.execsc.exe

description	pid	process
Token: SeDebugPrivilege	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
Token: SeDebugPrivilege	524	csc.exe
Token: SeDebugPrivilege	524	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.execsc.exe

description	pid	process	target process
PID 1556 wrote to memory of 616	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	cmd.exe
PID 1556 wrote to memory of 616	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	cmd.exe
PID 1556 wrote to memory of 616	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	cmd.exe
PID 1556 wrote to memory of 616	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	cmd.exe
PID 1556 wrote to memory of 1744	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	WScript.exe
PID 1556 wrote to memory of 1744	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	WScript.exe
PID 1556 wrote to memory of 1744	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	WScript.exe
PID 1556 wrote to memory of 1744	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	WScript.exe
PID 1556 wrote to memory of 1132	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe
PID 1556 wrote to memory of 1132	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe
PID 1556 wrote to memory of 1132	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe
PID 1556 wrote to memory of 1132	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe
PID 1556 wrote to memory of 1132	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe
PID 1556 wrote to memory of 1132	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe
PID 1556 wrote to memory of 1132	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe
PID 1556 wrote to memory of 1132	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe
PID 1556 wrote to memory of 1132	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe
PID 1556 wrote to memory of 1132	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe
PID 1556 wrote to memory of 1132	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe
PID 1556 wrote to memory of 1132	1556	6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe	csc.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe
PID 1132 wrote to memory of 2016	1132	csc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
"C:\Users\Admin\AppData\Local\Temp\6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd C:\Users\Admin\AppData\Roaming\ &&ren *.zgy *.exe && exit
2⤵
PID:616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MTemp104.vbs"
2⤵
- Adds Run key to start application
PID:1744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\SysWOW64\Updater\Patch.exe
"C:\Windows\system32\Updater\Patch.exe"
4⤵
- Executes dropped EXE
PID:1472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MTemp104.vbs
Filesize
248B

MD5
226a406fb0187ed8966dbcefcf582d03

SHA1
3a2b8c28bfc6332f05458bcc251a2850e76ff949

SHA256
db40e76b6a109be060619d0dd7103d3fe3eeafcabef02a4b47bc4ebfd287b2ff

SHA512
dcf416c3575f6161f2f5362e8ab2bcf05d618d14c61f9e03a5b866bd9cf1064246285797850faee9db9ab08c97af02106fa517fdab883152e360b07a09793e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
c88b3d4e3ad00f13043fb033f7579403

SHA1
ff5fa3819535dc91234d55aa7fd72f5b78d3b704

SHA256
dd1e1492169070d11bd53144c60d0dc71633f6c2e81b41caa0b4d46baedfb126

SHA512
6df35852874673a84c8614aea823bf5b59bc71192e2cdc98e97e6f29c6ca403ae81304ac91aa14599aeb593920b174fa6b04dbc64a5775555a25312c2ce83523

Download Submit
C:\Users\Admin\AppData\Roaming\ecran.zgy
Filesize
649KB

MD5
28eb2401c10f2877daab62a6e749f6b0

SHA1
64f0e58afc44b1ef387df1d885678a287090a616

SHA256
6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d

SHA512
8671d339192ef77cc3a981ae8efed4d49480bfe2dce4efe4adf1fbda3551e59100aefe2e859d6b3c9fa9c60ff0857ce5c424046a7457e3e50c6d7b164f5a38fb

Download Submit
C:\Windows\SysWOW64\Updater\Patch.exe
Filesize
75KB

MD5
3d7d2e825c63ff501e896cf008c70d75

SHA1
24e1e56df2c1e85b224b4360235513e79f03d3fc

SHA256
037fc52b8fc6089338eb456f2b45638ed36c42a4dca7ace391d166b2329838a1

SHA512
57d06b2226221162e0b54eeea3de13af6386bd632d16f6ec0666da81e8e177157a778caf0e3df0fe6368ea0b0fd93dae92cbe3cbb8c484f9e1107ba371301f21

Download Submit
C:\Windows\SysWOW64\Updater\Patch.exe
Filesize
75KB

MD5
3d7d2e825c63ff501e896cf008c70d75

SHA1
24e1e56df2c1e85b224b4360235513e79f03d3fc

SHA256
037fc52b8fc6089338eb456f2b45638ed36c42a4dca7ace391d166b2329838a1

SHA512
57d06b2226221162e0b54eeea3de13af6386bd632d16f6ec0666da81e8e177157a778caf0e3df0fe6368ea0b0fd93dae92cbe3cbb8c484f9e1107ba371301f21

Download Submit
\Windows\SysWOW64\Updater\Patch.exe
Filesize
75KB

MD5
3d7d2e825c63ff501e896cf008c70d75

SHA1
24e1e56df2c1e85b224b4360235513e79f03d3fc

SHA256
037fc52b8fc6089338eb456f2b45638ed36c42a4dca7ace391d166b2329838a1

SHA512
57d06b2226221162e0b54eeea3de13af6386bd632d16f6ec0666da81e8e177157a778caf0e3df0fe6368ea0b0fd93dae92cbe3cbb8c484f9e1107ba371301f21

Download Submit
memory/524-96-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/524-82-0x0000000000000000-mapping.dmp

Download
memory/524-99-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/524-89-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/524-87-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/616-55-0x0000000000000000-mapping.dmp

Download
memory/1132-90-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1132-61-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1132-70-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1132-72-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1132-74-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1132-64-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1132-76-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1132-78-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1132-68-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1132-84-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1132-67-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1132-62-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1132-66-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1132-71-0x000000000040BBF4-mapping.dmp

Download
memory/1132-65-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1472-94-0x0000000000000000-mapping.dmp

Download
memory/1556-75-0x0000000000425000-0x0000000000436000-memory.dmp

Filesize
68KB

Download
memory/1556-59-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1556-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1556-97-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1556-98-0x0000000000425000-0x0000000000436000-memory.dmp

Filesize
68KB

Download
memory/1556-113-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1556-114-0x0000000000425000-0x0000000000436000-memory.dmp

Filesize
68KB

Download
memory/1596-110-0x000000000040BBF4-mapping.dmp

Download
memory/1596-115-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1596-116-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1596-117-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1744-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads