cybergate | 0062f88be716d94eee46acf859de4975fbf7922a93ad17f620cf62d30790d190

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 16:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe
Size

317KB
MD5

31101855780f6a6eb64c848f860f540b
SHA1

2f67c34cfa190a0d21f4d2b5098912be7bc2ba1c
SHA256

0062f88be716d94eee46acf859de4975fbf7922a93ad17f620cf62d30790d190
SHA512

defa7c08dcb58ed582d7841270f30810764e572606d4d102618fac5f094a7c7dca6d428990666924853b34317fb86ea0876eebd977680771cba519db87aa27ff
SSDEEP

6144:4CyrCy8kJnusDZApSnRkRy4Y1B3RF3V8EGd:4vrv8+n9wSRkRy4Y1B3Ed

Score

10^/10

cybergate man persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

man

5noseqwa.no-ip.info:1177

6noseqwa.no-ip.info:1177

7noseqwa.no-ip.info:1177

Mutex

hjyjettwnw

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Java suns
install_file
Jqsx.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
int1705
regkey_hkcu
Java suns

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Java suns = "C:\\Users\\Admin\\AppData\\Roaming\\Java suns\\Jqsx.exe"	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Java suns = "C:\\Users\\Admin\\AppData\\Roaming\\Java suns\\Jqsx.exe"	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6665855C-7F74-613M-P4E2-2KKQY0VBT4KP}	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6665855C-7F74-613M-P4E2-2KKQY0VBT4KP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Java suns\\Jqsx.exe Restart"	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6665855C-7F74-613M-P4E2-2KKQY0VBT4KP}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6665855C-7F74-613M-P4E2-2KKQY0VBT4KP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Java suns\\Jqsx.exe"	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
2028	Jqsx.exe
2564	Jqsx.exe
2880	Jqsx.exe

Loads dropped DLL 2 IoCs

pid	Process
2964	explorer.exe
2964	explorer.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-23-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2396-27-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2396-29-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2396-21-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2396-30-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2396-32-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2396-31-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2396-33-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2964-473-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral1/memory/2564-687-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2564-969-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2396-984-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2964-994-0x0000000024060000-0x00000000240A2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java suns = "C:\\Users\\Admin\\AppData\\Roaming\\Java suns\\Jqsx.exe"	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2992 set thread context of 2396	2992	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	30
PID 2028 set thread context of 2564	2028	Jqsx.exe	37

Program crash 1 IoCs

pid	pid_target	Process	procid_target
596	860	WerFault.exe	34

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	Jqsx.exe
Token: SeDebugPrivilege	2880	Jqsx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2992	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe
2028	Jqsx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2396	2992	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2396	2992	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2396	2992	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2396	2992	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2396	2992	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2396	2992	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2396	2992	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2396	2992	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21
PID 2396 wrote to memory of 1196	2396	31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Loads dropped DLL
      PID:2964
    - - C:\Users\Admin\AppData\Roaming\Java suns\Jqsx.exe
        
        "C:\Users\Admin\AppData\Roaming\Java suns\Jqsx.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2028
      - C:\Users\Admin\AppData\Roaming\Java suns\Jqsx.exe
        
        6⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Java suns\Jqsx.exe
        
        "C:\Users\Admin\AppData\Roaming\Java suns\Jqsx.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\31101855780f6a6eb64c848f860f540b_JaffaCakes118.exe"
      4⤵
      PID:860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 192
        5⤵
        Program crash
        
        PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UuU.uUu

Filesize
8B

MD5
d1155a14b0cd3e4893bb992553bd812f

SHA1
0bf4be5d058561510b7ca4274ec35153e6dfc07c

SHA256
00726f026dbaa1d2e0a021f1c46b2e5a1e217aca954579a28f4d9bc526c5124f

SHA512
acf2893101eb8d4232fad998dc5f0c252c39735750eebefc471e25e4bcc1c9df5aba0eaf711af3b78ca012ba45c7837e5710b47a104409b19a01112d379bac27

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
189KB

MD5
2c042289c862149c19d577470be98ac2

SHA1
ee9781bab6a273ee2316bc47961588c0e94f59f8

SHA256
e57eb0288d49d9284913e95ad650a53d5decd71f03fe1fd97efb15f9cca1245d

SHA512
7be9e55535ef1a1590c249116e5dcb4b57a758faa3b5cacb4da21071fff3cb4c85d9c0f2cb7f50c375d76900e9ca5a3a563059ad408529084e0cd0d0276b7d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
189KB

MD5
be1963d91f7e027bce737e29642c7cb2

SHA1
7e3be1af7cb6d5df5246dd9b45e2564c5cb99f5b

SHA256
d205ce3fb916d028938661c361f4ce9b6aad45f517f4daf8ced63473ee1bfd2a

SHA512
626164957145be7f91b6c6bf796ae5eebd93d6a746224951cc2c8337de9408d4dd17f5bf94c5fe021952fe441c6cf7b1a623491116cea6162d99b0256b9b7da8

Download Submit
C:\Users\Admin\AppData\Roaming\Java suns\Jqsx.exe

Filesize
317KB

MD5
31101855780f6a6eb64c848f860f540b

SHA1
2f67c34cfa190a0d21f4d2b5098912be7bc2ba1c

SHA256
0062f88be716d94eee46acf859de4975fbf7922a93ad17f620cf62d30790d190

SHA512
defa7c08dcb58ed582d7841270f30810764e572606d4d102618fac5f094a7c7dca6d428990666924853b34317fb86ea0876eebd977680771cba519db87aa27ff

Download Submit
memory/1196-37-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/2396-27-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2396-29-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2396-984-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2396-33-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2396-31-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2396-32-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2396-30-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2396-19-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2396-21-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2396-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2396-23-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2564-969-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2564-687-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2964-473-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/2964-238-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2964-994-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/2964-294-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2992-13-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2992-1-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2992-5-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2992-14-0x0000000001CB0000-0x0000000001CC0000-memory.dmp

Filesize
64KB

Download
memory/2992-15-0x0000000001CC0000-0x0000000001CD0000-memory.dmp

Filesize
64KB

Download
memory/2992-0-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2992-11-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2992-10-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2992-8-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2992-12-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2992-2-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/2992-16-0x0000000001CD0000-0x0000000001CE0000-memory.dmp

Filesize
64KB

Download
memory/2992-6-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/2992-4-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2992-7-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2992-9-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2992-3-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads