matiex | 9c3352f10d1219bd3a932ff49aef99826d43a134d1f0e553e6af1ed8e428a47f

General

Target

Payment Notification.exe
Size

1.0MB
MD5

22d61a1e0f48b05fec1a4cf9da160b16
SHA1

68826094caeffc43d24ddf0d2ad1c6ed5e961272
SHA256

78f08071af81517d374179110b8018fce8d6670abd110ab76fdf811a08761ad4
SHA512

760c4b4b9fdc3fca93129a0bc973e27bbe8e9d696baae51509a70dc8a8f0fc1ad8a1fa5801c9f21cacfea66bc728de1102f868d1a348fde1350f42d337d2df5d

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
mail.revistaeducar.com.ar
Port:
25
Username:
[email protected]
Password:
somchai#3774

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3420-138-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Payment Notification.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Payment Notification.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

79 freegeoip.app
80 freegeoip.app
77 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment Notification.exe

description pid process target process

PID 3864 set thread context of 3420 3864 Payment Notification.exe RegSvcs.exe

flow	ioc
79	freegeoip.app
80	freegeoip.app
77	checkip.dyndns.org

description	pid	process	target process
PID 3864 set thread context of 3420	3864	Payment Notification.exe	RegSvcs.exe

Drops file in Windows directory 3 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3276 schtasks.exe

pid	process
3276	schtasks.exe

Modifies data under HKEY_USERS 53 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.352113"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4164"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4360"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132901196027576184"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.893944"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Payment Notification.exe

pid process

3864 Payment Notification.exe
3864 Payment Notification.exe
3864 Payment Notification.exe
3864 Payment Notification.exe

pid	process
3864	Payment Notification.exe
3864	Payment Notification.exe
3864	Payment Notification.exe
3864	Payment Notification.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TiWorker.exe

description	pid	process
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe
Token: SeRestorePrivilege	2664	TiWorker.exe
Token: SeSecurityPrivilege	2664	TiWorker.exe
Token: SeBackupPrivilege	2664	TiWorker.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Payment Notification.exe

description	pid	process	target process
PID 3864 wrote to memory of 3276	3864	Payment Notification.exe	schtasks.exe
PID 3864 wrote to memory of 3276	3864	Payment Notification.exe	schtasks.exe
PID 3864 wrote to memory of 3276	3864	Payment Notification.exe	schtasks.exe
PID 3864 wrote to memory of 1380	3864	Payment Notification.exe	RegSvcs.exe
PID 3864 wrote to memory of 1380	3864	Payment Notification.exe	RegSvcs.exe
PID 3864 wrote to memory of 1380	3864	Payment Notification.exe	RegSvcs.exe
PID 3864 wrote to memory of 2420	3864	Payment Notification.exe	RegSvcs.exe
PID 3864 wrote to memory of 2420	3864	Payment Notification.exe	RegSvcs.exe
PID 3864 wrote to memory of 2420	3864	Payment Notification.exe	RegSvcs.exe
PID 3864 wrote to memory of 3420	3864	Payment Notification.exe	RegSvcs.exe
PID 3864 wrote to memory of 3420	3864	Payment Notification.exe	RegSvcs.exe
PID 3864 wrote to memory of 3420	3864	Payment Notification.exe	RegSvcs.exe
PID 3864 wrote to memory of 3420	3864	Payment Notification.exe	RegSvcs.exe
PID 3864 wrote to memory of 3420	3864	Payment Notification.exe	RegSvcs.exe
PID 3864 wrote to memory of 3420	3864	Payment Notification.exe	RegSvcs.exe
PID 3864 wrote to memory of 3420	3864	Payment Notification.exe	RegSvcs.exe
PID 3864 wrote to memory of 3420	3864	Payment Notification.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Payment Notification.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Notification.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tgZOYkOUhk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCDC3.tmp"
2⤵
- Creates scheduled task(s)
PID:3276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:3420

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3724

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCDC3.tmp
MD5
7b9c4b7832b75cb0a8b311f0013d7b8f

SHA1
5ddd2da48f9bd89a8c4873c7c16cb72b50e3b495

SHA256
9d946e260a426596414b305c6305c9750d2f231997707c83d4a21742030f4cc9

SHA512
2eef86a25761ea2308bb9a06fd1c523b04ba7a7aa18a44bc36637663439165d11f6dc70690daae8109eddd9a1a5da00f2090145b1c33194edc0f0024b04f8f85

Download Submit
memory/3420-138-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3420-139-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/3420-140-0x0000000004EB0000-0x0000000004F16000-memory.dmp

Filesize
408KB

Download
memory/3420-141-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3864-130-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/3864-131-0x0000000000B40000-0x0000000000C4E000-memory.dmp

Filesize
1.1MB

Download
memory/3864-132-0x0000000005AA0000-0x0000000006044000-memory.dmp

Filesize
5.6MB

Download
memory/3864-133-0x00000000054F0000-0x0000000005582000-memory.dmp

Filesize
584KB

Download
memory/3864-134-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/3864-135-0x00000000054A0000-0x00000000054AA000-memory.dmp

Filesize
40KB

Download
memory/3864-136-0x0000000007A00000-0x0000000007A9C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads