0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488

Resubmissions

04/10/2023, 21:26

231004-1akzwsfb7v 9

23/02/2022, 01:55

220223-cchqjshhem 9

Analysis

max time kernel
117s
max time network
127s
platform
windows7_x64
resource
win7-en-20211208
submitted
23/02/2022, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488.exe
Size

12.6MB
MD5

e63dc29b24934b64f077291d2eba75f2
SHA1

b1cdd6ccc14f5f65bef59975667d6306a1cd07b3
SHA256

0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488
SHA512

b09df1937edc922a2d25bb3f60ac45f289db0a99fb0d0c581da10ff56237c3bd2012f02a28f1afae148dad2f744af86668b2a5e39f09aa286020d8c0221c9213

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/544-69-0x000000001B480000-0x000000001B7C2000-memory.dmp	WebBrowserPassView
behavioral1/files/0x0006000000013935-91.dat	WebBrowserPassView
behavioral1/files/0x0006000000013935-90.dat	WebBrowserPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral1/memory/544-69-0x000000001B480000-0x000000001B7C2000-memory.dmp	Nirsoft
behavioral1/files/0x0006000000013905-83.dat	Nirsoft
behavioral1/files/0x0006000000013905-84.dat	Nirsoft
behavioral1/files/0x0006000000013935-91.dat	Nirsoft
behavioral1/files/0x0006000000013935-90.dat	Nirsoft
behavioral1/files/0x0006000000013921-102.dat	Nirsoft
behavioral1/files/0x0006000000013921-104.dat	Nirsoft
behavioral1/files/0x0006000000013929-112.dat	Nirsoft
behavioral1/files/0x0006000000013929-111.dat	Nirsoft

Executes dropped EXE 9 IoCs

pid	Process
524	asdas.exe
544	RtkBtManServ.exe
608	sms.exe
908	bfsvc.exe
984	snuvcdsm.exe
2028	winhlp32.exe
1752	splwow64.exe
1728	hh.exe
1524	xwizard.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000013919-97.dat	upx
behavioral1/files/0x0006000000013919-98.dat	upx
behavioral1/files/0x0006000000013925-101.dat	upx
behavioral1/files/0x0006000000013925-99.dat	upx

Loads dropped DLL 3 IoCs

pid	Process
524	asdas.exe
316	0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488.exe
1676	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RtkBtManServ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RtkBtManServ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RtkBtManServ.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs

pid	Process
908	bfsvc.exe
984	snuvcdsm.exe
2028	winhlp32.exe
1752	splwow64.exe
1728	hh.exe
1524	xwizard.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
984	snuvcdsm.exe
1728	hh.exe
1524	xwizard.exe
1524	xwizard.exe
1524	xwizard.exe
1524	xwizard.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	RtkBtManServ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 524	316	0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488.exe	27
PID 316 wrote to memory of 524	316	0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488.exe	27
PID 316 wrote to memory of 524	316	0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488.exe	27
PID 316 wrote to memory of 524	316	0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488.exe	27
PID 524 wrote to memory of 544	524	asdas.exe	29
PID 524 wrote to memory of 544	524	asdas.exe	29
PID 524 wrote to memory of 544	524	asdas.exe	29
PID 524 wrote to memory of 544	524	asdas.exe	29
PID 316 wrote to memory of 608	316	0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488.exe	30
PID 316 wrote to memory of 608	316	0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488.exe	30
PID 316 wrote to memory of 608	316	0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488.exe	30
PID 544 wrote to memory of 1768	544	RtkBtManServ.exe	32
PID 544 wrote to memory of 1768	544	RtkBtManServ.exe	32
PID 544 wrote to memory of 1768	544	RtkBtManServ.exe	32
PID 1768 wrote to memory of 1700	1768	WScript.exe	33
PID 1768 wrote to memory of 1700	1768	WScript.exe	33
PID 1768 wrote to memory of 1700	1768	WScript.exe	33
PID 1700 wrote to memory of 908	1700	cmd.exe	35
PID 1700 wrote to memory of 908	1700	cmd.exe	35
PID 1700 wrote to memory of 908	1700	cmd.exe	35
PID 1700 wrote to memory of 908	1700	cmd.exe	35
PID 544 wrote to memory of 1620	544	RtkBtManServ.exe	36
PID 544 wrote to memory of 1620	544	RtkBtManServ.exe	36
PID 544 wrote to memory of 1620	544	RtkBtManServ.exe	36
PID 1620 wrote to memory of 464	1620	WScript.exe	37
PID 1620 wrote to memory of 464	1620	WScript.exe	37
PID 1620 wrote to memory of 464	1620	WScript.exe	37
PID 464 wrote to memory of 984	464	cmd.exe	39
PID 464 wrote to memory of 984	464	cmd.exe	39
PID 464 wrote to memory of 984	464	cmd.exe	39
PID 464 wrote to memory of 984	464	cmd.exe	39
PID 544 wrote to memory of 1676	544	RtkBtManServ.exe	41
PID 544 wrote to memory of 1676	544	RtkBtManServ.exe	41
PID 544 wrote to memory of 1676	544	RtkBtManServ.exe	41
PID 1676 wrote to memory of 1180	1676	WScript.exe	42
PID 1676 wrote to memory of 1180	1676	WScript.exe	42
PID 1676 wrote to memory of 1180	1676	WScript.exe	42
PID 1180 wrote to memory of 2028	1180	cmd.exe	44
PID 1180 wrote to memory of 2028	1180	cmd.exe	44
PID 1180 wrote to memory of 2028	1180	cmd.exe	44
PID 1180 wrote to memory of 2028	1180	cmd.exe	44
PID 1180 wrote to memory of 1752	1180	cmd.exe	45
PID 1180 wrote to memory of 1752	1180	cmd.exe	45
PID 1180 wrote to memory of 1752	1180	cmd.exe	45
PID 1180 wrote to memory of 1752	1180	cmd.exe	45
PID 1180 wrote to memory of 1728	1180	cmd.exe	46
PID 1180 wrote to memory of 1728	1180	cmd.exe	46
PID 1180 wrote to memory of 1728	1180	cmd.exe	46
PID 1180 wrote to memory of 1728	1180	cmd.exe	46
PID 544 wrote to memory of 1732	544	RtkBtManServ.exe	49
PID 544 wrote to memory of 1732	544	RtkBtManServ.exe	49
PID 544 wrote to memory of 1732	544	RtkBtManServ.exe	49
PID 1732 wrote to memory of 1844	1732	WScript.exe	50
PID 1732 wrote to memory of 1844	1732	WScript.exe	50
PID 1732 wrote to memory of 1844	1732	WScript.exe	50
PID 1844 wrote to memory of 1524	1844	cmd.exe	52
PID 1844 wrote to memory of 1524	1844	cmd.exe	52
PID 1844 wrote to memory of 1524	1844	cmd.exe	52
PID 1844 wrote to memory of 1524	1844	cmd.exe	52
PID 544 wrote to memory of 572	544	RtkBtManServ.exe	54
PID 544 wrote to memory of 572	544	RtkBtManServ.exe	54
PID 544 wrote to memory of 572	544	RtkBtManServ.exe	54
PID 572 wrote to memory of 524	572	cmd.exe	55
PID 572 wrote to memory of 524	572	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488.exe
"C:\Users\Admin\AppData\Local\Temp\0001c1409b360fc8e1b6933d20c7bfa42e1f5d7bc1593a5057a96930e0b53488.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\asdas.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\asdas.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
    "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs7LIsqCC4a/AX2b2RVR/YEUkVsAd21s1Zj3Q7+D+wBDqZXHiuUwqD+ulat5YCzOWXvJWtDoU7A9lCKly9ij2EI/e2+S7OW+qFJxtlQeFXgI2TuHiauFjXibHW/+xco2h6U=
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
        
        C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:908
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:464
      - C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        
        PID:984
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1180
      - C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
        
        C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2028
      - C:\Users\Admin\AppData\Local\Temp\splwow64.exe
        
        C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1752
      - C:\Users\Admin\AppData\Local\Temp\hh.exe
        
        C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        
        PID:1728
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1844
      - C:\Users\Admin\AppData\Local\Temp\xwizard.exe
        
        C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:524
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sms.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sms.exe
  2⤵
  - Executes dropped EXE
  PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-54-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmp

Filesize
8KB

Download
memory/524-57-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/524-58-0x0000000000A30000-0x0000000000D2C000-memory.dmp

Filesize
3.0MB

Download
memory/524-59-0x0000000000A42000-0x0000000000A43000-memory.dmp

Filesize
4KB

Download
memory/524-60-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/544-74-0x0000000000320000-0x0000000000350000-memory.dmp

Filesize
192KB

Download
memory/544-67-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/544-68-0x0000000000960000-0x0000000000C3A000-memory.dmp

Filesize
2.9MB

Download
memory/544-69-0x000000001B480000-0x000000001B7C2000-memory.dmp

Filesize
3.3MB

Download
memory/544-70-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/544-71-0x000000001B2A0000-0x000000001B2A2000-memory.dmp

Filesize
8KB

Download
memory/544-72-0x00000000006B0000-0x0000000000760000-memory.dmp

Filesize
704KB

Download
memory/544-79-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/544-75-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/544-76-0x00000000007E0000-0x00000000007FA000-memory.dmp

Filesize
104KB

Download
memory/544-77-0x0000000000920000-0x0000000000952000-memory.dmp

Filesize
200KB

Download
memory/544-78-0x000000001B1D0000-0x000000001B272000-memory.dmp

Filesize
648KB

Download
memory/908-85-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download