cybergate | 3b6930108f3a36822c7e27e8ce7848cbedd3b37c0e21500ab45a5b9956d687d8

Analysis

max time kernel
23s
max time network
17s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-01-2025 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Creative EAX Settings.exe
Size

3.4MB
MD5

95413932fc696781ccbbc5fb34d6d244
SHA1

72cd83ff778160751a9b3ea51e9ba527111d4ec6
SHA256

3b6930108f3a36822c7e27e8ce7848cbedd3b37c0e21500ab45a5b9956d687d8
SHA512

6b32d8e69b36849d5d61e70a9682fce2017105009349092f964496934c652201a98b960891c5b92bee7558d863a9e161abea9372edaaac1e62199ea44b1752b5
SSDEEP

49152:uEP+CRKbnhbwXcdzs6LyDCxzyDKM7DPUD12VP:uMQb59sUzOKPs

Score

10^/10

cybergate viros.alasiri discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Viros.ALaSiri

o5q.no-ip.biz:82

Mutex

AIO-Setup

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
windows
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
windows1
regkey_hklm
windows

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Creative EAX Settings.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\windows2 = "C:\\Windows\\system32\\windows\\windows.exe"	Creative EAX Settings.exe
Key created	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Creative EAX Settings.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\windows2 = "C:\\Windows\\system32\\windows\\windows.exe"	Creative EAX Settings.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC4QPNRP-L8UO-R843-3P0L-T4VL7DU2CHJ6}	Creative EAX Settings.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC4QPNRP-L8UO-R843-3P0L-T4VL7DU2CHJ6}\StubPath = "C:\\Windows\\system32\\windows\\windows.exe Restart"	Creative EAX Settings.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC4QPNRP-L8UO-R843-3P0L-T4VL7DU2CHJ6}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC4QPNRP-L8UO-R843-3P0L-T4VL7DU2CHJ6}\StubPath = "C:\\Windows\\system32\\windows\\windows.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
3776	windows.exe
3296	windows.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Windows\\system32\\windows\\windows.exe"	Creative EAX Settings.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows1 = "C:\\Windows\\system32\\windows\\windows.exe"	Creative EAX Settings.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\windows\windows.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\windows\	explorer.exe
File created	C:\Windows\SysWOW64\windows\windows.exe	Creative EAX Settings.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3652 set thread context of 2700	3652	Creative EAX Settings.exe	83
PID 3776 set thread context of 3296	3776	windows.exe	92

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2700-13-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/2700-17-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3692	3652	WerFault.exe	81
4936	3776	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Creative EAX Settings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Creative EAX Settings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1160	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	explorer.exe
Token: SeDebugPrivilege	1160	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2700	Creative EAX Settings.exe
3776	windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2700	3652	Creative EAX Settings.exe	83
PID 3652 wrote to memory of 2700	3652	Creative EAX Settings.exe	83
PID 3652 wrote to memory of 2700	3652	Creative EAX Settings.exe	83
PID 3652 wrote to memory of 2700	3652	Creative EAX Settings.exe	83
PID 3652 wrote to memory of 2700	3652	Creative EAX Settings.exe	83
PID 3652 wrote to memory of 2700	3652	Creative EAX Settings.exe	83
PID 3652 wrote to memory of 2700	3652	Creative EAX Settings.exe	83
PID 3652 wrote to memory of 2700	3652	Creative EAX Settings.exe	83
PID 3652 wrote to memory of 2700	3652	Creative EAX Settings.exe	83
PID 3652 wrote to memory of 2700	3652	Creative EAX Settings.exe	83
PID 3652 wrote to memory of 2700	3652	Creative EAX Settings.exe	83
PID 3652 wrote to memory of 2700	3652	Creative EAX Settings.exe	83
PID 3652 wrote to memory of 2700	3652	Creative EAX Settings.exe	83
PID 3652 wrote to memory of 1768	3652	Creative EAX Settings.exe	84
PID 3652 wrote to memory of 1768	3652	Creative EAX Settings.exe	84
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57
PID 2700 wrote to memory of 3612	2700	Creative EAX Settings.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3612
- C:\Users\Admin\AppData\Local\Temp\Creative EAX Settings.exe
  "C:\Users\Admin\AppData\Local\Temp\Creative EAX Settings.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\Creative EAX Settings.exe
    "C:\Users\Admin\AppData\Local\Temp\Creative EAX Settings.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:4120
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1160
    - - C:\Windows\SysWOW64\windows\windows.exe
        
        "C:\Windows\system32\windows\windows.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:3776
      - C:\Windows\SysWOW64\windows\windows.exe
        
        C:\Windows\SysWOW64\windows\windows.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3296
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 808
        6⤵
        Program crash
        
        PID:4936
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 760
    3⤵
    - Program crash
    PID:3692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3652 -ip 3652
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3776 -ip 3776
1⤵
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UuU.uUu

Filesize
8B

MD5
2278a554927299e59f8e84fd649624f2

SHA1
a986e1c36a1ad9489dfb674de0500cf3f1f4d7e1

SHA256
6e86a8e3ce97334624fd8dcdd557540898e8085f5256c2b610dbdb69d5660e21

SHA512
9db80da272629470fb8da48663c17928cd72ffdfc715a63e4c4914ced3e114944d16d71a9ed5cb89901b9195b13d42b704a23d9e539834b693eca2036d7b4a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
982890e4b6d54a585d51696e4befedf4

SHA1
681e3b0fe1e3c80db481817393c07222d2a3db34

SHA256
7d67063b90698ed23c4237b6c2c42ad45e7d77fb041a6be23f69449fdc3a1c18

SHA512
545a94c0be55987259a2c7c97dabc301281d1105c57c154b7e72c31d8a7d87d4ae9bed0173afdf89595cdafd42f6a3e8ac644a76325438fed071f98fc03b98d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fd9a66cc63ae05771acc5d0cfecf8d91

SHA1
bfe7d896737f74f97bfee35c63103ca36c38d8ab

SHA256
48743ab7898a1cd02b20c156901dc062dc46de9ded4ec8df92a0a4f240d8832b

SHA512
e2f2e7dc4360ff85bd502de49afa9de5302d2156d822423665d9901c4d3b9599c02d7f2e04dd78fa469ff8f621b456e310d55c4cdd699b01b0315e77a2cb683a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c48de5928a498f86be69862e82aafdd4

SHA1
6bd152a07dbfb5feb85f638e5c327c4b29b0657a

SHA256
33382aa988cb948f13410ca23d497176fdfab35a55284b84535be5aea252a828

SHA512
57b19e629cb36d0c69406ab86861c08c241af46ed25f15ce6c2dfac07f9a20a31db8aec2f386a75eed1a5f3a01370acf3ac3276700f1d2ce0b122d2fe54eaf91

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9a50f2f15edb150cd38565e9dad77719

SHA1
f5c8e5c0045748bc6c26b164e54c6643ad8cffda

SHA256
109a1a71fabb5665402235b5e06b3461865f1a08f8420ac2351ff94bc9cadf53

SHA512
f4c8419fdde94733b3d55f8ecacc60af0ac324be82641d382d912318d659d2ba2e1e4505742633dd65f2fa2c62e0df007486b35912e8f6752f8ad1b5f5684967

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
89233a2549d2128587fbc2f05dedef34

SHA1
de41012f34099e6777b61e68f4ecf5d3c1aadb9a

SHA256
63e646e6bb0fc262127e11c995b98f89b9c73638497ed73ac1bce6656fd3c80b

SHA512
9b0fefb5713fac4dfa7c418d391f8e5c51997ad834b4355b06281106e4cc9990f0c9a4e1ae16d1eaae972a580a0048fb4dfc65a2d3049c7129bb8e8bd48418b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
36b5f61bd9a3da89e109c6c6baecafa1

SHA1
71128faa770cca247c8c96facca45f49c4c1a8a6

SHA256
655d2fd5612bff1aa7ad14a4ec6df00df1f47d48543bc42043da45503df3399a

SHA512
2e1f5da91931597a7ea81fa4e1d8e0b8f36b7c02cb3913339d347af68429d80ffd8b82627685d23eade79b8ec42abeb72dc79f0b3d3a0225a1d0f21ead53f730

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
30cc10d13850d56ae6cb566adf015b5a

SHA1
8d5ba68c84bf38ae57e78b85a87476f33439438a

SHA256
e027da8e0fd23fcaedf56cd957d6bd35e57115229c55669aa153f53117f9d0c9

SHA512
ad4872bdd3b8470a6e0b3463a46038a2802a2d54bd1e4f448f203da46becf5248eebe516ac9ab4495c5670e3de6b1e6553fdc4378a8d6a31dfc10e94e51b8acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8090f36709db5f83611d7a69da4ea821

SHA1
3b12dc044747e8e371809c589818419bb92611a5

SHA256
58e40555960b8dca6801d7f91eb3c4b4896d47c3ca48a59acaf8c8516d9477c7

SHA512
d58134482a4e0e574eba5e4dcc7f8c3083ddb89665aeaddc0820260a83f13e8d29fed50a61c5ac7ee249a9e097d9c35f476d52f64ee611da453734a9b7ac8592

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7e66bc247f7884a6a46f10696400fd7d

SHA1
91d733e51f3d2f8c88ffa9413f29f26fb05bae07

SHA256
777c7a193a257fcb103d14cd5089a72202446a4a087c07135c996a45769c26ae

SHA512
2c45382367a6b85f61536e4c1ff9df94a7a53de30a463f0ba7a6f00b17550544f6c6a644974a8bcc27594b6ca81b80b165bbe87ded48737363df75fd3fc1210d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f695be8da72a01e9893c672fd2f290cc

SHA1
b4929094410dc9dff247a0269d09f627215f3f15

SHA256
03e312d1912f15926fac62c1add8004bc46b94ce3952e46ae7c9212b33038279

SHA512
752c1e6f447930b591ee7ba71c7ed344cea5eff3314092ce5a11a88ae4bba9af340ae80190bc93a773007b8e9172e41577047ad68b18bfc860b15046f08fd097

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aedce2969df419b66c3089829fa09268

SHA1
bb6b5248eb15dc7848bbe9aca06d521df4c6f54e

SHA256
ae0d0bde1612ffb081d53136fdeb339707bb1603df0563bcb30481766187c518

SHA512
3aa6289ade99f7aa9cf9fe27b71ff8d94d601f787b392cc24d4cd94a60d2b607136ef042372598f1c8f66dacef92b7d55a06cb47a3501c3048fdbe06a80a906c

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\windows\windows.exe

Filesize
3.4MB

MD5
95413932fc696781ccbbc5fb34d6d244

SHA1
72cd83ff778160751a9b3ea51e9ba527111d4ec6

SHA256
3b6930108f3a36822c7e27e8ce7848cbedd3b37c0e21500ab45a5b9956d687d8

SHA512
6b32d8e69b36849d5d61e70a9682fce2017105009349092f964496934c652201a98b960891c5b92bee7558d863a9e161abea9372edaaac1e62199ea44b1752b5

Download Submit
memory/2700-13-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2700-10-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2700-17-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2700-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2700-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2700-11-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2700-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2700-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2700-5-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2700-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3652-0-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/3652-178-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/4120-19-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/4120-18-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads