klingon | 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611

General

Target

44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
Size

7.8MB
MD5

8d44ccac6b5512a416339984ad664d79
SHA1

6152e1a374fd572d25fab8baae9d1b12116a7c35
SHA256

44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611
SHA512

c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7

Score

10^/10

klingon persistence trojan

Malware Config

Signatures

Klingon
Klingon is a remote access trojan written in Golang with various capabilities.
trojan klingon

Klingon RAT Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe	family_klingon
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe	family_klingon

Executes dropped EXE 2 IoCs

Processes:

updater10.exe546738843.exe

pid process

4056 updater10.exe
512 546738843.exe

pid	process
4056	updater10.exe
512	546738843.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

updater10.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -1 -0"	updater10.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
8 api.ipify.org
13 api.ipify.org
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1424 net.exe
1580 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1260 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

580 systeminfo.exe

flow	ioc
7	api.ipify.org
8	api.ipify.org
13	api.ipify.org

pid	process
1424	net.exe
1580	net.exe

pid	process
1260	ipconfig.exe

pid	process
580	systeminfo.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

updater10.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	updater10.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	updater10.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	updater10.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

546738843.exe

pid process

512 546738843.exe
512 546738843.exe
512 546738843.exe
512 546738843.exe

pid	process
512	546738843.exe
512	546738843.exe
512	546738843.exe
512	546738843.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5068	wmic.exe
Token: SeSecurityPrivilege	5068	wmic.exe
Token: SeTakeOwnershipPrivilege	5068	wmic.exe
Token: SeLoadDriverPrivilege	5068	wmic.exe
Token: SeSystemProfilePrivilege	5068	wmic.exe
Token: SeSystemtimePrivilege	5068	wmic.exe
Token: SeProfSingleProcessPrivilege	5068	wmic.exe
Token: SeIncBasePriorityPrivilege	5068	wmic.exe
Token: SeCreatePagefilePrivilege	5068	wmic.exe
Token: SeBackupPrivilege	5068	wmic.exe
Token: SeRestorePrivilege	5068	wmic.exe
Token: SeShutdownPrivilege	5068	wmic.exe
Token: SeDebugPrivilege	5068	wmic.exe
Token: SeSystemEnvironmentPrivilege	5068	wmic.exe
Token: SeRemoteShutdownPrivilege	5068	wmic.exe
Token: SeUndockPrivilege	5068	wmic.exe
Token: SeManageVolumePrivilege	5068	wmic.exe
Token: 33	5068	wmic.exe
Token: 34	5068	wmic.exe
Token: 35	5068	wmic.exe
Token: 36	5068	wmic.exe
Token: SeIncreaseQuotaPrivilege	5068	wmic.exe
Token: SeSecurityPrivilege	5068	wmic.exe
Token: SeTakeOwnershipPrivilege	5068	wmic.exe
Token: SeLoadDriverPrivilege	5068	wmic.exe
Token: SeSystemProfilePrivilege	5068	wmic.exe
Token: SeSystemtimePrivilege	5068	wmic.exe
Token: SeProfSingleProcessPrivilege	5068	wmic.exe
Token: SeIncBasePriorityPrivilege	5068	wmic.exe
Token: SeCreatePagefilePrivilege	5068	wmic.exe
Token: SeBackupPrivilege	5068	wmic.exe
Token: SeRestorePrivilege	5068	wmic.exe
Token: SeShutdownPrivilege	5068	wmic.exe
Token: SeDebugPrivilege	5068	wmic.exe
Token: SeSystemEnvironmentPrivilege	5068	wmic.exe
Token: SeRemoteShutdownPrivilege	5068	wmic.exe
Token: SeUndockPrivilege	5068	wmic.exe
Token: SeManageVolumePrivilege	5068	wmic.exe
Token: 33	5068	wmic.exe
Token: 34	5068	wmic.exe
Token: 35	5068	wmic.exe
Token: 36	5068	wmic.exe
Token: SeIncreaseQuotaPrivilege	1012	wmic.exe
Token: SeSecurityPrivilege	1012	wmic.exe
Token: SeTakeOwnershipPrivilege	1012	wmic.exe
Token: SeLoadDriverPrivilege	1012	wmic.exe
Token: SeSystemProfilePrivilege	1012	wmic.exe
Token: SeSystemtimePrivilege	1012	wmic.exe
Token: SeProfSingleProcessPrivilege	1012	wmic.exe
Token: SeIncBasePriorityPrivilege	1012	wmic.exe
Token: SeCreatePagefilePrivilege	1012	wmic.exe
Token: SeBackupPrivilege	1012	wmic.exe
Token: SeRestorePrivilege	1012	wmic.exe
Token: SeShutdownPrivilege	1012	wmic.exe
Token: SeDebugPrivilege	1012	wmic.exe
Token: SeSystemEnvironmentPrivilege	1012	wmic.exe
Token: SeRemoteShutdownPrivilege	1012	wmic.exe
Token: SeUndockPrivilege	1012	wmic.exe
Token: SeManageVolumePrivilege	1012	wmic.exe
Token: 33	1012	wmic.exe
Token: 34	1012	wmic.exe
Token: 35	1012	wmic.exe
Token: 36	1012	wmic.exe
Token: SeIncreaseQuotaPrivilege	1012	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exeupdater10.exenet.exe

description	pid	process	target process
PID 4444 wrote to memory of 5068	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	wmic.exe
PID 4444 wrote to memory of 5068	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	wmic.exe
PID 4444 wrote to memory of 3128	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	cmd.exe
PID 4444 wrote to memory of 3128	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	cmd.exe
PID 4444 wrote to memory of 1012	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	wmic.exe
PID 4444 wrote to memory of 1012	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	wmic.exe
PID 4444 wrote to memory of 4056	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	updater10.exe
PID 4444 wrote to memory of 4056	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	updater10.exe
PID 4056 wrote to memory of 4040	4056	updater10.exe	wmic.exe
PID 4056 wrote to memory of 4040	4056	updater10.exe	wmic.exe
PID 4056 wrote to memory of 4112	4056	updater10.exe	cmd.exe
PID 4056 wrote to memory of 4112	4056	updater10.exe	cmd.exe
PID 4056 wrote to memory of 4088	4056	updater10.exe	wmic.exe
PID 4056 wrote to memory of 4088	4056	updater10.exe	wmic.exe
PID 4056 wrote to memory of 512	4056	updater10.exe	546738843.exe
PID 4056 wrote to memory of 512	4056	updater10.exe	546738843.exe
PID 4056 wrote to memory of 580	4056	updater10.exe	systeminfo.exe
PID 4056 wrote to memory of 580	4056	updater10.exe	systeminfo.exe
PID 4056 wrote to memory of 1260	4056	updater10.exe	ipconfig.exe
PID 4056 wrote to memory of 1260	4056	updater10.exe	ipconfig.exe
PID 4056 wrote to memory of 1424	4056	updater10.exe	net.exe
PID 4056 wrote to memory of 1424	4056	updater10.exe	net.exe
PID 4056 wrote to memory of 1580	4056	updater10.exe	net.exe
PID 4056 wrote to memory of 1580	4056	updater10.exe	net.exe
PID 4056 wrote to memory of 1896	4056	updater10.exe	net.exe
PID 4056 wrote to memory of 1896	4056	updater10.exe	net.exe
PID 1896 wrote to memory of 1812	1896	net.exe	net1.exe
PID 1896 wrote to memory of 1812	1896	net.exe	net1.exe
PID 4056 wrote to memory of 2144	4056	updater10.exe	nltest.exe
PID 4056 wrote to memory of 2144	4056	updater10.exe	nltest.exe
PID 4056 wrote to memory of 2268	4056	updater10.exe	nltest.exe
PID 4056 wrote to memory of 2268	4056	updater10.exe	nltest.exe

C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
"C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\System32\Wbem\wmic.exe
wmic process get Caption,ParentProcessId,ProcessId
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe ver
2⤵
PID:3128

C:\Windows\System32\Wbem\wmic.exe
wmic process get Caption,ParentProcessId,ProcessId
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\System32\Wbem\wmic.exe
wmic process get Caption,ParentProcessId,ProcessId
3⤵
PID:4040

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe ver
3⤵
PID:4112

C:\Windows\System32\Wbem\wmic.exe
wmic process get Caption,ParentProcessId,ProcessId
3⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\546738843.exe
C:\Users\Admin\AppData\Local\Temp\546738843.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:512

C:\Windows\system32\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:580

C:\Windows\system32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:1260

C:\Windows\system32\net.exe
net view /all
3⤵
- Discovers systems in the same network
PID:1424

C:\Windows\system32\net.exe
net view /all domain
3⤵
- Discovers systems in the same network
PID:1580

C:\Windows\system32\net.exe
net users /domain
3⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 users /domain
4⤵
PID:1812

C:\Windows\system32\nltest.exe
nltest /domain_trusts
3⤵
PID:2144

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\546738843.exe
MD5
39f71c609daddb77e4e6b747154b7381

SHA1
4e0e7bd351597c9f363486ee233bedf9dac1bb64

SHA256
ebca8c4d11a3e0c6977d9e47c8777436859888010ef40195470bf450441dd1f6

SHA512
f628cb8cbe031ea2a7d11c99aab2da5bd1b382a75d633005cd1a7b945e64fc45c3280db23f1567256b4c2eb1b7f2bd2f4513fe8bbec6806296d1189edcd54b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\546738843.exe
MD5
39f71c609daddb77e4e6b747154b7381

SHA1
4e0e7bd351597c9f363486ee233bedf9dac1bb64

SHA256
ebca8c4d11a3e0c6977d9e47c8777436859888010ef40195470bf450441dd1f6

SHA512
f628cb8cbe031ea2a7d11c99aab2da5bd1b382a75d633005cd1a7b945e64fc45c3280db23f1567256b4c2eb1b7f2bd2f4513fe8bbec6806296d1189edcd54b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Andrew.dmp
MD5
23e2349661769b9df4d945411173fd85

SHA1
8615ba66c5de96b954d91fd9e9e0879b2872f6bd

SHA256
c7bcda3856feb4cafe2a52f290873f48f4f5cceeaa0f7eace812452540750776

SHA512
2e3aae6cfc4c66d496bba31ab0c74f021b66fc0820fd81441e6721b54f18f0eb60f7a9b366e49c8be7e2eba12faa0cc79ec651c0ce1f72dec4e2eab396a76a5b

Download Submit
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
MD5
8d44ccac6b5512a416339984ad664d79

SHA1
6152e1a374fd572d25fab8baae9d1b12116a7c35

SHA256
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611

SHA512
c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7

Download Submit
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
MD5
8d44ccac6b5512a416339984ad664d79

SHA1
6152e1a374fd572d25fab8baae9d1b12116a7c35

SHA256
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611

SHA512
c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7

Download Submit
memory/512-123-0x0000000000000000-mapping.dmp

Download
memory/580-125-0x0000000000000000-mapping.dmp

Download
memory/1012-116-0x0000000000000000-mapping.dmp

Download
memory/1260-128-0x0000000000000000-mapping.dmp

Download
memory/1424-129-0x0000000000000000-mapping.dmp

Download
memory/1580-130-0x0000000000000000-mapping.dmp

Download
memory/1812-132-0x0000000000000000-mapping.dmp

Download
memory/1896-131-0x0000000000000000-mapping.dmp

Download
memory/2144-133-0x0000000000000000-mapping.dmp

Download
memory/2268-134-0x0000000000000000-mapping.dmp

Download
memory/3128-115-0x0000000000000000-mapping.dmp

Download
memory/4040-120-0x0000000000000000-mapping.dmp

Download
memory/4056-117-0x0000000000000000-mapping.dmp

Download
memory/4088-122-0x0000000000000000-mapping.dmp

Download
memory/4112-121-0x0000000000000000-mapping.dmp

Download
memory/5068-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads