f696348658a9b89041b6bf9bdc9a3ae8f3799c5beee76e42dc81f096307c7847

General

Target

kins_2.0.14.0.vir.exe
Size

240KB
MD5

da99ec7cfb172928a845b5116765f498
SHA1

4298f9dd3e8ba80c05f6ab7a90001590d115918c
SHA256

f696348658a9b89041b6bf9bdc9a3ae8f3799c5beee76e42dc81f096307c7847
SHA512

58b865fcc05432f214e2023c4bc7a63c89cdcb761046bc825a2b50cbffc153cb3c79736b9658c5327f84c14f59bbf9251edbb85ae431cd23531e259009042e3f

Score

8^/10

upx spyware persistence

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

Processes:

kins_2.0.14.0.vir.exeSplitTest.exe

description	pid	process	target process
PID 1164 set thread context of 844	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 set thread context of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1468 set thread context of 872	1468	SplitTest.exe	iexplore.exe
PID 1468 set thread context of 660	1468	SplitTest.exe	SplitTest.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kins_2.0.14.0.vir.exe

description pid process

Token: SeSecurityPrivilege 1332 kins_2.0.14.0.vir.exe
Token: SeSecurityPrivilege 1332 kins_2.0.14.0.vir.exe
Loads dropped DLL 2 IoCs

Processes:

kins_2.0.14.0.vir.exe

pid process

1332 kins_2.0.14.0.vir.exe
1332 kins_2.0.14.0.vir.exe
Executes dropped EXE 2 IoCs

Processes:

SplitTest.exeSplitTest.exe

pid process

1468 SplitTest.exe
660 SplitTest.exe

description	pid	process
Token: SeSecurityPrivilege	1332	kins_2.0.14.0.vir.exe
Token: SeSecurityPrivilege	1332	kins_2.0.14.0.vir.exe

pid	process
1332	kins_2.0.14.0.vir.exe
1332	kins_2.0.14.0.vir.exe

pid	process
1468	SplitTest.exe
660	SplitTest.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	explorer.exe

Checks whether UAC is enabled 1 IoCs

Processes:

iexplore.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/844-0-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/872-11-0x0000000000400000-0x0000000000AA4000-memory.dmp	upx
behavioral1/memory/872-14-0x0000000000400000-0x0000000000AA4000-memory.dmp	upx
behavioral1/memory/872-17-0x0000000000400000-0x0000000000AA4000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

iexplore.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

kins_2.0.14.0.vir.exeSplitTest.exeiexplore.exe

pid process

1164 kins_2.0.14.0.vir.exe
1468 SplitTest.exe
872 iexplore.exe
872 iexplore.exe
872 iexplore.exe
872 iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of WriteProcessMemory 79 IoCs

Processes:

kins_2.0.14.0.vir.exekins_2.0.14.0.vir.exeSplitTest.exeSplitTest.exe

description	pid	process	target process
PID 1164 wrote to memory of 1328	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 1328	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 1328	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 1328	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 844	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 844	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 844	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 844	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 844	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 844	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 844	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 844	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 844	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 844	1164	kins_2.0.14.0.vir.exe	iexplore.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1164 wrote to memory of 1332	1164	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 1332 wrote to memory of 1468	1332	kins_2.0.14.0.vir.exe	SplitTest.exe
PID 1332 wrote to memory of 1468	1332	kins_2.0.14.0.vir.exe	SplitTest.exe
PID 1332 wrote to memory of 1468	1332	kins_2.0.14.0.vir.exe	SplitTest.exe
PID 1332 wrote to memory of 1468	1332	kins_2.0.14.0.vir.exe	SplitTest.exe
PID 1468 wrote to memory of 872	1468	SplitTest.exe	iexplore.exe
PID 1468 wrote to memory of 872	1468	SplitTest.exe	iexplore.exe
PID 1468 wrote to memory of 872	1468	SplitTest.exe	iexplore.exe
PID 1468 wrote to memory of 872	1468	SplitTest.exe	iexplore.exe
PID 1468 wrote to memory of 872	1468	SplitTest.exe	iexplore.exe
PID 1468 wrote to memory of 872	1468	SplitTest.exe	iexplore.exe
PID 1468 wrote to memory of 872	1468	SplitTest.exe	iexplore.exe
PID 1468 wrote to memory of 872	1468	SplitTest.exe	iexplore.exe
PID 1468 wrote to memory of 872	1468	SplitTest.exe	iexplore.exe
PID 1468 wrote to memory of 872	1468	SplitTest.exe	iexplore.exe
PID 1468 wrote to memory of 872	1468	SplitTest.exe	iexplore.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1468 wrote to memory of 660	1468	SplitTest.exe	SplitTest.exe
PID 1332 wrote to memory of 536	1332	kins_2.0.14.0.vir.exe	cmd.exe
PID 1332 wrote to memory of 536	1332	kins_2.0.14.0.vir.exe	cmd.exe
PID 1332 wrote to memory of 536	1332	kins_2.0.14.0.vir.exe	cmd.exe
PID 1332 wrote to memory of 536	1332	kins_2.0.14.0.vir.exe	cmd.exe
PID 660 wrote to memory of 1104	660	SplitTest.exe	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\SplitTest.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d5vrebxd.default-release\\crashes\\SplitTest.exe"	explorer.exe

Suspicious behavior: EnumeratesProcesses 284 IoCs

Processes:

kins_2.0.14.0.vir.exeSplitTest.exeSplitTest.exeexplorer.exe

pid	process
1164	kins_2.0.14.0.vir.exe
1468	SplitTest.exe
660	SplitTest.exe
660	SplitTest.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

536 cmd.exe

pid	process
536	cmd.exe

C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:1328

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe"
3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:872

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:660

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
5⤵
- Modifies system certificate store
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5cd49ced.bat"
3⤵
- Deletes itself
PID:536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5cd49ced.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe

Download Submit
memory/536-19-0x0000000000000000-mapping.dmp

Download
memory/660-15-0x0000000000406F1E-mapping.dmp

Download
memory/844-1-0x000000000040F750-mapping.dmp

Download
memory/844-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/872-11-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/872-12-0x000000000040F750-mapping.dmp

Download
memory/872-14-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/872-17-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/872-22-0x000000000040F750-mapping.dmp

Download
memory/1104-20-0x0000000000000000-mapping.dmp

Download
memory/1332-3-0x0000000000406F1E-mapping.dmp

Download
memory/1332-2-0x0000000000400000-0x0000000001274000-memory.dmp

Filesize
14.5MB

Download
memory/1332-4-0x0000000000400000-0x0000000001274000-memory.dmp

Filesize
14.5MB

Download
memory/1468-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads