revengerat | 5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2

General

Target

5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
Size

190KB
MD5

a1d732c8477b8e487981c475cfb4fda0
SHA1

afffdaf652d9445aba3f9c3809d555c7224ad201
SHA256

5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2
SHA512

0c2db6108881de5fe86d7bd198adb2770b7653c064ed29ce4bb48a9deb86421be8fd6a1424fd2a491ca2f804da2f9d9f21470a5545255746a1a55192500819ff

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4560-138-0x0000000000400000-0x000000000042A000-memory.dmp	revengerat
behavioral2/memory/4560-140-0x0000000000400000-0x000000000042A000-memory.dmp	revengerat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wind0wsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exeRegSvcs.exeRegSvcs.exe

description	pid	process	target process
PID 4092 set thread context of 4560	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 4560 set thread context of 624	4560	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 624 set thread context of 4444	624	RegSvcs.exe	RegSvcs.exe
PID 4444 set thread context of 4764	4444	RegSvcs.exe	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2608 schtasks.exe

pid	process
2608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exePowershell.exeRegSvcs.exePowershell.exe

pid	process
4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
1868	Powershell.exe
1868	Powershell.exe
624	RegSvcs.exe
624	RegSvcs.exe
3124	Powershell.exe
3124	Powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exePowershell.exeRegSvcs.exePowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
Token: SeDebugPrivilege	4560	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
Token: SeDebugPrivilege	1868	Powershell.exe
Token: SeDebugPrivilege	624	RegSvcs.exe
Token: SeDebugPrivilege	3124	Powershell.exe
Token: SeDebugPrivilege	4444	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4444	RegSvcs.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exeRegSvcs.exeRegSvcs.exe

description	pid	process	target process
PID 4092 wrote to memory of 1868	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	Powershell.exe
PID 4092 wrote to memory of 1868	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	Powershell.exe
PID 4092 wrote to memory of 1868	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	Powershell.exe
PID 4092 wrote to memory of 3820	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 4092 wrote to memory of 3820	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 4092 wrote to memory of 3820	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 4092 wrote to memory of 4560	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 4092 wrote to memory of 4560	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 4092 wrote to memory of 4560	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 4092 wrote to memory of 4560	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 4092 wrote to memory of 4560	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 4092 wrote to memory of 4560	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 4092 wrote to memory of 4560	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 4092 wrote to memory of 4560	4092	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 4560 wrote to memory of 624	4560	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 4560 wrote to memory of 624	4560	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 4560 wrote to memory of 624	4560	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 4560 wrote to memory of 624	4560	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 4560 wrote to memory of 624	4560	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 4560 wrote to memory of 624	4560	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 4560 wrote to memory of 624	4560	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 4560 wrote to memory of 624	4560	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 624 wrote to memory of 3124	624	RegSvcs.exe	Powershell.exe
PID 624 wrote to memory of 3124	624	RegSvcs.exe	Powershell.exe
PID 624 wrote to memory of 3124	624	RegSvcs.exe	Powershell.exe
PID 624 wrote to memory of 4808	624	RegSvcs.exe	RegSvcs.exe
PID 624 wrote to memory of 4808	624	RegSvcs.exe	RegSvcs.exe
PID 624 wrote to memory of 4808	624	RegSvcs.exe	RegSvcs.exe
PID 624 wrote to memory of 4444	624	RegSvcs.exe	RegSvcs.exe
PID 624 wrote to memory of 4444	624	RegSvcs.exe	RegSvcs.exe
PID 624 wrote to memory of 4444	624	RegSvcs.exe	RegSvcs.exe
PID 624 wrote to memory of 4444	624	RegSvcs.exe	RegSvcs.exe
PID 624 wrote to memory of 4444	624	RegSvcs.exe	RegSvcs.exe
PID 624 wrote to memory of 4444	624	RegSvcs.exe	RegSvcs.exe
PID 624 wrote to memory of 4444	624	RegSvcs.exe	RegSvcs.exe
PID 624 wrote to memory of 4444	624	RegSvcs.exe	RegSvcs.exe
PID 4444 wrote to memory of 4764	4444	RegSvcs.exe	RegSvcs.exe
PID 4444 wrote to memory of 4764	4444	RegSvcs.exe	RegSvcs.exe
PID 4444 wrote to memory of 4764	4444	RegSvcs.exe	RegSvcs.exe
PID 4444 wrote to memory of 4764	4444	RegSvcs.exe	RegSvcs.exe
PID 4444 wrote to memory of 4764	4444	RegSvcs.exe	RegSvcs.exe
PID 4444 wrote to memory of 4764	4444	RegSvcs.exe	RegSvcs.exe
PID 4444 wrote to memory of 4764	4444	RegSvcs.exe	RegSvcs.exe
PID 4444 wrote to memory of 4764	4444	RegSvcs.exe	RegSvcs.exe
PID 4444 wrote to memory of 2608	4444	RegSvcs.exe	schtasks.exe
PID 4444 wrote to memory of 2608	4444	RegSvcs.exe	schtasks.exe
PID 4444 wrote to memory of 2608	4444	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
"C:\Users\Admin\AppData\Local\Temp\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Users\Admin\AppData\Local\Temp\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
"C:\Users\Admin\AppData\Local\Temp\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe"
2⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
"C:\Users\Admin\AppData\Local\Temp\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:4808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:4764

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Wind0wsUpdate" /tr "C:\Users\Admin\AppData\Local\Temp\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe"
5⤵
- Creates scheduled task(s)
PID:2608

C:\Users\Admin\AppData\Local\Temp\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
C:\Users\Admin\AppData\Local\Temp\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
1⤵
PID:2704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe.log
Filesize
1KB

MD5
6dd2b2e332f641268ade3fbee81828a0

SHA1
fbb9ba6b2d8644acc81d1813df8394eb16935058

SHA256
4005814778c17ce5bb518ba97a0e3a7547e9fd54c736b45b145d51ae38e34f46

SHA512
30d7ef784b86b5184fd5d851bd3725325ffef723815107008b159b43b3e40fbbfc00f5ce071113aaa11334d5878e86da0bd4bef5d3d403622da4028311d1884f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
Filesize
1KB

MD5
6dd2b2e332f641268ade3fbee81828a0

SHA1
fbb9ba6b2d8644acc81d1813df8394eb16935058

SHA256
4005814778c17ce5bb518ba97a0e3a7547e9fd54c736b45b145d51ae38e34f46

SHA512
30d7ef784b86b5184fd5d851bd3725325ffef723815107008b159b43b3e40fbbfc00f5ce071113aaa11334d5878e86da0bd4bef5d3d403622da4028311d1884f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
55KB

MD5
b091afea30c53e852ff87760493a4e25

SHA1
89d09951d8be200471398980e767066e68d0f11c

SHA256
eb95c19fd71ac984b6283043868a23b56f423242fb2d01d7a786c2b589bdc714

SHA512
0a4874a3629b594afee75996168f1b1f0f11de9c75ac29aed00d29d697daf59fdab5c734e60264a5081072017ad18093bbfa565e93a4823b2a8df0ef18e8ff1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
fb625463c4e090dec87d6e0727de0e2f

SHA1
b1e9d82730e88db242d785f202185c169db76084

SHA256
fdcaf361e70feaba74eaaf701d15e75c4709f17faa3e96d8c0b00d828d7c6929

SHA512
94baa8b8ace584a5bb2446ed2651dac3aaa7571b76c4762ffdeb29e1679f3a30c91b29e66c174ac8ab4b1be6a052e1ebe72a1929356881f4cde30f3e879ffabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaKuSAtY.txt
Filesize
102B

MD5
1b80a307a8f18e71776685fb3db70dd5

SHA1
bed0d61ab329d104529b08901c6bbec99b6b5304

SHA256
bf3fbf767f323252031d09911a1a0f7b573fe56ee8b15fa1b6bd1a32aa395a73

SHA512
15d9661d803b9e66078b07f18f281e844197176574fa712136b237a315fe6fb275bf9bc1d1b0b9118d5bff911f298310a3053fe50ba5a9abd79356f3a654862e

Download Submit
memory/624-143-0x0000000000000000-mapping.dmp

Download
memory/1868-169-0x00000000072B0000-0x00000000072BE000-memory.dmp

Filesize
56KB

Download
memory/1868-167-0x00000000070D0000-0x00000000070DA000-memory.dmp

Filesize
40KB

Download
memory/1868-141-0x00000000023A0000-0x00000000023D6000-memory.dmp

Filesize
216KB

Download
memory/1868-163-0x0000000071930000-0x000000007197C000-memory.dmp

Filesize
304KB

Download
memory/1868-170-0x00000000073A0000-0x00000000073BA000-memory.dmp

Filesize
104KB

Download
memory/1868-135-0x0000000000000000-mapping.dmp

Download
memory/1868-144-0x0000000004E00000-0x0000000005428000-memory.dmp

Filesize
6.2MB

Download
memory/1868-146-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

Filesize
136KB

Download
memory/1868-147-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/1868-148-0x0000000005D60000-0x0000000005D7E000-memory.dmp

Filesize
120KB

Download
memory/2608-174-0x0000000000000000-mapping.dmp

Download
memory/3124-165-0x0000000007E10000-0x000000000848A000-memory.dmp

Filesize
6.5MB

Download
memory/3124-171-0x0000000007A40000-0x0000000007A48000-memory.dmp

Filesize
32KB

Download
memory/3124-166-0x00000000077B0000-0x00000000077CA000-memory.dmp

Filesize
104KB

Download
memory/3124-168-0x0000000007A70000-0x0000000007B06000-memory.dmp

Filesize
600KB

Download
memory/3124-149-0x0000000000000000-mapping.dmp

Download
memory/3124-164-0x00000000069D0000-0x00000000069EE000-memory.dmp

Filesize
120KB

Download
memory/3124-162-0x0000000071930000-0x000000007197C000-memory.dmp

Filesize
304KB

Download
memory/3124-161-0x0000000005240000-0x0000000005272000-memory.dmp

Filesize
200KB

Download
memory/3820-136-0x0000000000000000-mapping.dmp

Download
memory/4092-133-0x000000000AC00000-0x000000000AC0A000-memory.dmp

Filesize
40KB

Download
memory/4092-134-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/4092-130-0x0000000000BF0000-0x0000000000C24000-memory.dmp

Filesize
208KB

Download
memory/4092-132-0x000000000AC10000-0x000000000ACA2000-memory.dmp

Filesize
584KB

Download
memory/4092-131-0x000000000B0D0000-0x000000000B674000-memory.dmp

Filesize
5.6MB

Download
memory/4444-151-0x0000000000000000-mapping.dmp

Download
memory/4560-142-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/4560-137-0x0000000000000000-mapping.dmp

Download
memory/4560-138-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4560-140-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4764-160-0x0000000005120000-0x000000000515C000-memory.dmp

Filesize
240KB

Download
memory/4764-157-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4764-156-0x0000000000000000-mapping.dmp

Download
memory/4808-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads