danabot | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (11).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score

10^/10

danabot redline smokeloader 111 25.08 dibild2 backdoor banker evasion infostealer themida trojan

Malware Config

Extracted

Family

redline

193.56.146.60:16367

205.185.119.191:18846

185.215.113.29:8678

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

rc4.i32

Extracted

Family

redline

Botnet

dibild2

135.148.139.222:1494

Extracted

Family

redline

Botnet

25.08

95.181.172.100:55640

Extracted

Family

redline

Botnet

111

87.251.71.44:80

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

resource	yara_rule
behavioral5/memory/3028-256-0x0000000001CA0000-0x0000000001DFF000-memory.dmp	DanabotLoader2021
behavioral5/memory/2572-283-0x0000000000960000-0x0000000000ABF000-memory.dmp	DanabotLoader2021

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 14 IoCs

resource	yara_rule
behavioral5/memory/900-182-0x0000000003CE0000-0x0000000003CFD000-memory.dmp	family_redline
behavioral5/memory/900-192-0x0000000004000000-0x000000000401C000-memory.dmp	family_redline
behavioral5/memory/2756-207-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral5/memory/2756-208-0x000000000041A616-mapping.dmp	family_redline
behavioral5/memory/2756-213-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral5/memory/2820-214-0x000000000041A772-mapping.dmp	family_redline
behavioral5/memory/2820-212-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral5/memory/1552-217-0x0000000002D20000-0x0000000002D3C000-memory.dmp	family_redline
behavioral5/memory/1552-218-0x0000000002F80000-0x0000000002F9A000-memory.dmp	family_redline
behavioral5/memory/1556-222-0x00000000003D0000-0x00000000003ED000-memory.dmp	family_redline
behavioral5/memory/1556-223-0x0000000003DD0000-0x0000000003DEC000-memory.dmp	family_redline
behavioral5/memory/2820-224-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral5/memory/3032-278-0x0000000002E60000-0x0000000002E7D000-memory.dmp	family_redline
behavioral5/memory/3032-279-0x00000000047E0000-0x00000000047FC000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 20 IoCs

pid	Process
932	HV0tThpMAQRV9oMGYvhTSnG3.exe
1796	O9IoIZnbIEj6kFqWN4kLRyLY.exe
700	QlLL3U2t5eNt9MiKim5lchEk.exe
1564	U7_SqzvKKxfTsmgYfCStq3sf.exe
260	tafjFV96WzabEthWGGD3Apny.exe
1640	eb_Srgbx2WnZeOsF0kcu8HxI.exe
900	vnLK01lj7cWqLNVGDTh2FIqX.exe
1556	oxhDuy02GBWFb1WZQoVBWiMS.exe
1388	6EmUAZu7JJ5KaeifsT2bxcWa.exe
1720	PWHBRuhwiN6dJiZkPEWJoKAj.exe
848	Process not Found
2012	fcAtcrKiRMy0b6QR6z9PhJoJ.exe
1052	C4nJCLgNTfxrsW_kHCr8avQk.exe
928	ta4dYfxqKbVk6jWRfIpLxB0b.exe
564	a2lDUWV0Tp0F0Wtq7mBK9AEP.exe
1016	gl5PYnLK6jmNDQzTz3JY_xpz.exe
1168	bB3sj_mcMVU0BivA2jFiIlRB.exe
1552	GYs5zUJlK8wf7X8ju3ua1ofN.exe
1036	geLnMdk3AAj9hUdhpWI7GjWG.exe
1560	jWyiKuALPFR2Uon9zb0fNAH6.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International\Geo\Nation	Setup (11).exe

Loads dropped DLL 29 IoCs

pid	Process
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe
1528	Setup (11).exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral5/files/0x0003000000013161-136.dat	themida
behavioral5/files/0x000300000001315d-127.dat	themida
behavioral5/files/0x0003000000013154-124.dat	themida
behavioral5/files/0x0003000000013171-149.dat	themida
behavioral5/files/0x0003000000013171-140.dat	themida
behavioral5/files/0x0003000000013161-114.dat	themida
behavioral5/files/0x000300000001315d-99.dat	themida
behavioral5/files/0x0003000000013154-90.dat	themida
behavioral5/memory/1720-180-0x0000000000B90000-0x0000000000B91000-memory.dmp	themida
behavioral5/memory/1492-189-0x0000000000350000-0x0000000000351000-memory.dmp	themida
behavioral5/memory/1036-202-0x0000000000290000-0x0000000000291000-memory.dmp	themida
behavioral5/memory/1052-243-0x0000000000EC0000-0x0000000000EC1000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ipinfo.io
156	ipinfo.io
157	ipinfo.io
194	freegeoip.app
195	freegeoip.app
22	ipinfo.io
192	freegeoip.app
197	freegeoip.app
231	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2440	1564	WerFault.exe	34

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2268	schtasks.exe
2312	schtasks.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
464	taskkill.exe
2732	taskkill.exe
3020	taskkill.exe
2896	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Setup (11).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (11).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Setup (11).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Setup (11).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (11).exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1528	Setup (11).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 700	1528	Setup (11).exe	31
PID 1528 wrote to memory of 700	1528	Setup (11).exe	31
PID 1528 wrote to memory of 700	1528	Setup (11).exe	31
PID 1528 wrote to memory of 700	1528	Setup (11).exe	31
PID 1528 wrote to memory of 1564	1528	Setup (11).exe	34
PID 1528 wrote to memory of 1564	1528	Setup (11).exe	34
PID 1528 wrote to memory of 1564	1528	Setup (11).exe	34
PID 1528 wrote to memory of 1564	1528	Setup (11).exe	34
PID 1528 wrote to memory of 1564	1528	Setup (11).exe	34
PID 1528 wrote to memory of 1564	1528	Setup (11).exe	34
PID 1528 wrote to memory of 1564	1528	Setup (11).exe	34
PID 1528 wrote to memory of 1796	1528	Setup (11).exe	33
PID 1528 wrote to memory of 1796	1528	Setup (11).exe	33
PID 1528 wrote to memory of 1796	1528	Setup (11).exe	33
PID 1528 wrote to memory of 1796	1528	Setup (11).exe	33
PID 1528 wrote to memory of 260	1528	Setup (11).exe	35
PID 1528 wrote to memory of 260	1528	Setup (11).exe	35
PID 1528 wrote to memory of 260	1528	Setup (11).exe	35
PID 1528 wrote to memory of 260	1528	Setup (11).exe	35
PID 1528 wrote to memory of 1640	1528	Setup (11).exe	38
PID 1528 wrote to memory of 1640	1528	Setup (11).exe	38
PID 1528 wrote to memory of 1640	1528	Setup (11).exe	38
PID 1528 wrote to memory of 1640	1528	Setup (11).exe	38
PID 1528 wrote to memory of 900	1528	Setup (11).exe	37
PID 1528 wrote to memory of 900	1528	Setup (11).exe	37
PID 1528 wrote to memory of 900	1528	Setup (11).exe	37
PID 1528 wrote to memory of 900	1528	Setup (11).exe	37
PID 1528 wrote to memory of 1388	1528	Setup (11).exe	39
PID 1528 wrote to memory of 1388	1528	Setup (11).exe	39
PID 1528 wrote to memory of 1388	1528	Setup (11).exe	39
PID 1528 wrote to memory of 1388	1528	Setup (11).exe	39
PID 1528 wrote to memory of 1556	1528	Setup (11).exe	40
PID 1528 wrote to memory of 1556	1528	Setup (11).exe	40
PID 1528 wrote to memory of 1556	1528	Setup (11).exe	40
PID 1528 wrote to memory of 1556	1528	Setup (11).exe	40
PID 1528 wrote to memory of 2012	1528	Setup (11).exe	51
PID 1528 wrote to memory of 2012	1528	Setup (11).exe	51
PID 1528 wrote to memory of 2012	1528	Setup (11).exe	51
PID 1528 wrote to memory of 2012	1528	Setup (11).exe	51
PID 1528 wrote to memory of 848	1528	Setup (11).exe	50
PID 1528 wrote to memory of 848	1528	Setup (11).exe	50
PID 1528 wrote to memory of 848	1528	Setup (11).exe	50
PID 1528 wrote to memory of 848	1528	Setup (11).exe	50
PID 1528 wrote to memory of 1720	1528	Setup (11).exe	52
PID 1528 wrote to memory of 1720	1528	Setup (11).exe	52
PID 1528 wrote to memory of 1720	1528	Setup (11).exe	52
PID 1528 wrote to memory of 1720	1528	Setup (11).exe	52
PID 1528 wrote to memory of 1720	1528	Setup (11).exe	52
PID 1528 wrote to memory of 1720	1528	Setup (11).exe	52
PID 1528 wrote to memory of 1720	1528	Setup (11).exe	52
PID 1528 wrote to memory of 1052	1528	Setup (11).exe	49
PID 1528 wrote to memory of 1052	1528	Setup (11).exe	49
PID 1528 wrote to memory of 1052	1528	Setup (11).exe	49
PID 1528 wrote to memory of 1052	1528	Setup (11).exe	49
PID 1528 wrote to memory of 1052	1528	Setup (11).exe	49
PID 1528 wrote to memory of 1052	1528	Setup (11).exe	49
PID 1528 wrote to memory of 1052	1528	Setup (11).exe	49
PID 1528 wrote to memory of 928	1528	Setup (11).exe	48
PID 1528 wrote to memory of 928	1528	Setup (11).exe	48
PID 1528 wrote to memory of 928	1528	Setup (11).exe	48
PID 1528 wrote to memory of 928	1528	Setup (11).exe	48
PID 1528 wrote to memory of 564	1528	Setup (11).exe	47
PID 1528 wrote to memory of 564	1528	Setup (11).exe	47
PID 1528 wrote to memory of 564	1528	Setup (11).exe	47

C:\Users\Admin\AppData\Local\Temp\Setup (11).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (11).exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\Documents\QlLL3U2t5eNt9MiKim5lchEk.exe
  "C:\Users\Admin\Documents\QlLL3U2t5eNt9MiKim5lchEk.exe"
  2⤵
  - Executes dropped EXE
  PID:700
- - C:\Users\Admin\Documents\QlLL3U2t5eNt9MiKim5lchEk.exe
    "C:\Users\Admin\Documents\QlLL3U2t5eNt9MiKim5lchEk.exe"
    3⤵
    PID:1692
- C:\Users\Admin\Documents\HV0tThpMAQRV9oMGYvhTSnG3.exe
  "C:\Users\Admin\Documents\HV0tThpMAQRV9oMGYvhTSnG3.exe"
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Users\Admin\Documents\O9IoIZnbIEj6kFqWN4kLRyLY.exe
  "C:\Users\Admin\Documents\O9IoIZnbIEj6kFqWN4kLRyLY.exe"
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Users\Admin\Documents\U7_SqzvKKxfTsmgYfCStq3sf.exe
  "C:\Users\Admin\Documents\U7_SqzvKKxfTsmgYfCStq3sf.exe"
  2⤵
  - Executes dropped EXE
  PID:1564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 924
    3⤵
    - Program crash
    PID:2440
- C:\Users\Admin\Documents\tafjFV96WzabEthWGGD3Apny.exe
  "C:\Users\Admin\Documents\tafjFV96WzabEthWGGD3Apny.exe"
  2⤵
  - Executes dropped EXE
  PID:260
- - C:\Users\Admin\Documents\tafjFV96WzabEthWGGD3Apny.exe
    C:\Users\Admin\Documents\tafjFV96WzabEthWGGD3Apny.exe
    3⤵
    PID:2820
- C:\Users\Admin\Documents\vnLK01lj7cWqLNVGDTh2FIqX.exe
  "C:\Users\Admin\Documents\vnLK01lj7cWqLNVGDTh2FIqX.exe"
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Users\Admin\Documents\eb_Srgbx2WnZeOsF0kcu8HxI.exe
  "C:\Users\Admin\Documents\eb_Srgbx2WnZeOsF0kcu8HxI.exe"
  2⤵
  - Executes dropped EXE
  PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3583495249.exe"
    3⤵
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\3583495249.exe
      "C:\Users\Admin\AppData\Local\Temp\3583495249.exe"
      4⤵
      PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "eb_Srgbx2WnZeOsF0kcu8HxI.exe" /f & erase "C:\Users\Admin\Documents\eb_Srgbx2WnZeOsF0kcu8HxI.exe" & exit
    3⤵
    PID:2916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "eb_Srgbx2WnZeOsF0kcu8HxI.exe" /f
      4⤵
      Kills process with taskkill
      PID:2732
- C:\Users\Admin\Documents\6EmUAZu7JJ5KaeifsT2bxcWa.exe
  "C:\Users\Admin\Documents\6EmUAZu7JJ5KaeifsT2bxcWa.exe"
  2⤵
  - Executes dropped EXE
  PID:1388
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2268
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2312
- C:\Users\Admin\Documents\oxhDuy02GBWFb1WZQoVBWiMS.exe
  "C:\Users\Admin\Documents\oxhDuy02GBWFb1WZQoVBWiMS.exe"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Users\Admin\Documents\jWyiKuALPFR2Uon9zb0fNAH6.exe
  "C:\Users\Admin\Documents\jWyiKuALPFR2Uon9zb0fNAH6.exe"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Users\Admin\Documents\geLnMdk3AAj9hUdhpWI7GjWG.exe
  "C:\Users\Admin\Documents\geLnMdk3AAj9hUdhpWI7GjWG.exe"
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Users\Admin\Documents\GYs5zUJlK8wf7X8ju3ua1ofN.exe
  "C:\Users\Admin\Documents\GYs5zUJlK8wf7X8ju3ua1ofN.exe"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Users\Admin\Documents\bB3sj_mcMVU0BivA2jFiIlRB.exe
  "C:\Users\Admin\Documents\bB3sj_mcMVU0BivA2jFiIlRB.exe"
  2⤵
  - Executes dropped EXE
  PID:1168
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\Documents\bB3sj_mcMVU0BivA2jFiIlRB.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\bB3sj_mcMVU0BivA2jFiIlRB.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
    3⤵
    PID:1316
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\bB3sj_mcMVU0BivA2jFiIlRB.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""=="" for %W iN ( "C:\Users\Admin\Documents\bB3sj_mcMVU0BivA2jFiIlRB.exe") do taskkill -IM "%~nXW" -f
      4⤵
      PID:1888
    - - C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe
        
        WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9
        5⤵
        
        PID:1812
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""-PifOcLbay~PF~N8a_e9RyKpu9 "" == """" for %W iN ( ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
        6⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "-PifOcLbay~PF~N8a_e9RyKpu9 "=="" for %W iN ( "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe") do taskkill -IM "%~nXW" -f
        7⤵
        
        PID:520
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -IM "bB3sj_mcMVU0BivA2jFiIlRB.exe" -f
        5⤵
        Kills process with taskkill
        
        PID:2896
- C:\Users\Admin\Documents\gl5PYnLK6jmNDQzTz3JY_xpz.exe
  "C:\Users\Admin\Documents\gl5PYnLK6jmNDQzTz3JY_xpz.exe"
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Users\Admin\Documents\a2lDUWV0Tp0F0Wtq7mBK9AEP.exe
  "C:\Users\Admin\Documents\a2lDUWV0Tp0F0Wtq7mBK9AEP.exe"
  2⤵
  - Executes dropped EXE
  PID:564
- - C:\Users\Admin\Documents\a2lDUWV0Tp0F0Wtq7mBK9AEP.exe
    C:\Users\Admin\Documents\a2lDUWV0Tp0F0Wtq7mBK9AEP.exe
    3⤵
    PID:2756
- C:\Users\Admin\Documents\ta4dYfxqKbVk6jWRfIpLxB0b.exe
  "C:\Users\Admin\Documents\ta4dYfxqKbVk6jWRfIpLxB0b.exe"
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Users\Admin\Documents\C4nJCLgNTfxrsW_kHCr8avQk.exe
  "C:\Users\Admin\Documents\C4nJCLgNTfxrsW_kHCr8avQk.exe"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Users\Admin\Documents\KuYsczkINZ1JLQum6mKVxR01.exe
  "C:\Users\Admin\Documents\KuYsczkINZ1JLQum6mKVxR01.exe"
  2⤵
  PID:848
- - C:\Users\Admin\Documents\KuYsczkINZ1JLQum6mKVxR01.exe
    "C:\Users\Admin\Documents\KuYsczkINZ1JLQum6mKVxR01.exe" -q
    3⤵
    PID:1368
- C:\Users\Admin\Documents\fcAtcrKiRMy0b6QR6z9PhJoJ.exe
  "C:\Users\Admin\Documents\fcAtcrKiRMy0b6QR6z9PhJoJ.exe"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Users\Admin\Documents\PWHBRuhwiN6dJiZkPEWJoKAj.exe
  "C:\Users\Admin\Documents\PWHBRuhwiN6dJiZkPEWJoKAj.exe"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Users\Admin\Documents\IztmKxKJvIHurkaMUQmbl_cD.exe
  "C:\Users\Admin\Documents\IztmKxKJvIHurkaMUQmbl_cD.exe"
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "IztmKxKJvIHurkaMUQmbl_cD.exe" /f & erase "C:\Users\Admin\Documents\IztmKxKJvIHurkaMUQmbl_cD.exe" & exit
    3⤵
    PID:2392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "IztmKxKJvIHurkaMUQmbl_cD.exe" /f
      4⤵
      Kills process with taskkill
      PID:464
- C:\Users\Admin\Documents\fzV9k8tWzzZN54pAPq4fXTVl.exe
  "C:\Users\Admin\Documents\fzV9k8tWzzZN54pAPq4fXTVl.exe"
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "fzV9k8tWzzZN54pAPq4fXTVl.exe" /f & erase "C:\Users\Admin\Documents\fzV9k8tWzzZN54pAPq4fXTVl.exe" & exit
    3⤵
    PID:1680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "fzV9k8tWzzZN54pAPq4fXTVl.exe" /f
      4⤵
      Kills process with taskkill
      PID:3020
- C:\Users\Admin\Documents\7F2OX5TAdt2ZFcldEuwIlyi0.exe
  "C:\Users\Admin\Documents\7F2OX5TAdt2ZFcldEuwIlyi0.exe"
  2⤵
  PID:1988
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    PID:1660
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:2152
- - C:\Program Files (x86)\Company\NewProduct\inst1.exe
    "C:\Program Files (x86)\Company\NewProduct\inst1.exe"
    3⤵
    PID:2984
- - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
    "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
    3⤵
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:1684
- C:\Users\Admin\Documents\f_QxJUq9kaOW1zTKqvudwtew.exe
  "C:\Users\Admin\Documents\f_QxJUq9kaOW1zTKqvudwtew.exe"
  2⤵
  PID:1492
- C:\Users\Admin\Documents\OkabGac8VUMGUcC3wq18ka__.exe
  "C:\Users\Admin\Documents\OkabGac8VUMGUcC3wq18ka__.exe"
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\OKABGA~1.DLL,s C:\Users\Admin\DOCUME~1\OKABGA~1.EXE
    3⤵
    PID:3028
  - - C:\Windows\SysWOW64\RUNDLL32.EXE
      C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\OKABGA~1.DLL,Yh5ETXFLN3Fo
      4⤵
      PID:2572

C:\Users\Admin\AppData\Local\Temp\2472.exe
C:\Users\Admin\AppData\Local\Temp\2472.exe
1⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\53FC.exe
C:\Users\Admin\AppData\Local\Temp\53FC.exe
1⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\538E.exe
C:\Users\Admin\AppData\Local\Temp\538E.exe
1⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\FAD.exe
C:\Users\Admin\AppData\Local\Temp\FAD.exe
1⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\78FC.exe
C:\Users\Admin\AppData\Local\Temp\78FC.exe
1⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\76E9.exe
C:\Users\Admin\AppData\Local\Temp\76E9.exe
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/260-210-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/260-205-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/564-175-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/564-173-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/700-211-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/900-188-0x0000000006632000-0x0000000006633000-memory.dmp

Filesize
4KB

Download
memory/900-182-0x0000000003CE0000-0x0000000003CFD000-memory.dmp

Filesize
116KB

Download
memory/900-171-0x0000000000400000-0x00000000023C0000-memory.dmp

Filesize
31.8MB

Download
memory/900-192-0x0000000004000000-0x000000000401C000-memory.dmp

Filesize
112KB

Download
memory/900-170-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/900-191-0x0000000006633000-0x0000000006634000-memory.dmp

Filesize
4KB

Download
memory/900-183-0x0000000006631000-0x0000000006632000-memory.dmp

Filesize
4KB

Download
memory/900-197-0x0000000006634000-0x0000000006636000-memory.dmp

Filesize
8KB

Download
memory/1036-202-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1036-204-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1052-245-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/1052-243-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1204-199-0x0000000002A10000-0x0000000002A26000-memory.dmp

Filesize
88KB

Download
memory/1204-239-0x0000000002C40000-0x0000000002C56000-memory.dmp

Filesize
88KB

Download
memory/1492-189-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1492-196-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1528-60-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1528-61-0x0000000003B50000-0x0000000003C8F000-memory.dmp

Filesize
1.2MB

Download
memory/1552-220-0x00000000071E2000-0x00000000071E3000-memory.dmp

Filesize
4KB

Download
memory/1552-198-0x00000000002B0000-0x00000000002DF000-memory.dmp

Filesize
188KB

Download
memory/1552-200-0x0000000000400000-0x0000000002CD0000-memory.dmp

Filesize
40.8MB

Download
memory/1552-217-0x0000000002D20000-0x0000000002D3C000-memory.dmp

Filesize
112KB

Download
memory/1552-230-0x00000000071E4000-0x00000000071E6000-memory.dmp

Filesize
8KB

Download
memory/1552-218-0x0000000002F80000-0x0000000002F9A000-memory.dmp

Filesize
104KB

Download
memory/1552-219-0x00000000071E1000-0x00000000071E2000-memory.dmp

Filesize
4KB

Download
memory/1552-221-0x00000000071E3000-0x00000000071E4000-memory.dmp

Filesize
4KB

Download
memory/1556-228-0x0000000004133000-0x0000000004134000-memory.dmp

Filesize
4KB

Download
memory/1556-231-0x0000000004134000-0x0000000004136000-memory.dmp

Filesize
8KB

Download
memory/1556-194-0x0000000000400000-0x00000000023C2000-memory.dmp

Filesize
31.8MB

Download
memory/1556-193-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1556-222-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/1556-226-0x0000000004131000-0x0000000004132000-memory.dmp

Filesize
4KB

Download
memory/1556-227-0x0000000004132000-0x0000000004133000-memory.dmp

Filesize
4KB

Download
memory/1556-223-0x0000000003DD0000-0x0000000003DEC000-memory.dmp

Filesize
112KB

Download
memory/1564-157-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/1564-165-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/1640-169-0x0000000000220000-0x000000000026A000-memory.dmp

Filesize
296KB

Download
memory/1640-172-0x0000000000400000-0x0000000002CDC000-memory.dmp

Filesize
40.9MB

Download
memory/1692-232-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1720-180-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1720-195-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/1796-138-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1796-79-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1812-238-0x00000000046B0000-0x00000000047B3000-memory.dmp

Filesize
1.0MB

Download
memory/1812-241-0x0000000000400000-0x0000000002D9F000-memory.dmp

Filesize
41.6MB

Download
memory/2012-179-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2012-186-0x0000000000400000-0x0000000002CBB000-memory.dmp

Filesize
40.7MB

Download
memory/2052-161-0x0000000000400000-0x00000000023BA000-memory.dmp

Filesize
31.7MB

Download
memory/2052-160-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2100-250-0x00000000003A0000-0x00000000003D0000-memory.dmp

Filesize
192KB

Download
memory/2100-251-0x0000000000400000-0x0000000002CC7000-memory.dmp

Filesize
40.8MB

Download
memory/2152-264-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2440-257-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2572-283-0x0000000000960000-0x0000000000ABF000-memory.dmp

Filesize
1.4MB

Download
memory/2572-284-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/2756-207-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2756-216-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2756-213-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2820-229-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/2820-224-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2820-212-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2984-267-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/3028-280-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/3028-256-0x0000000001CA0000-0x0000000001DFF000-memory.dmp

Filesize
1.4MB

Download
memory/3032-279-0x00000000047E0000-0x00000000047FC000-memory.dmp

Filesize
112KB

Download
memory/3032-278-0x0000000002E60000-0x0000000002E7D000-memory.dmp

Filesize
116KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads