revengerat | 052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1

General

Target

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
Size

577KB
MD5

1711710d30ed4194ccfde68c6b6f3b22
SHA1

4f399c035bb370610940a96b3aab90eab884a925
SHA256

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1
SHA512

fbb943b1a20a4fbe0d1d5da5b5b874cb7b728354fc24c4ab1b0d827220052d7b34117980f7a1e993814b83bc02264a8af916a0fd909cbdd065cb11b396fc9353

Score

10^/10

revengerat guest evasion stealer trojan

Malware Config

Extracted

Family

revengerat

Mutex

Extracted

Family

revengerat

Botnet

Guest

C2

93.155.97.82:333

93.155.97.82:1604

neudria.ddns.net:333

neudria.ddns.net:1604

Mutex

RV_MUTEX-ZFbTXZMONFueOci

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

RevengeRat Executable 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1656-70-0x00000000041F0000-0x00000000041F8000-memory.dmp	revengerat
behavioral1/memory/2032-74-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/2032-75-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/2032-76-0x0000000000405E0E-mapping.dmp	revengerat
behavioral1/memory/2032-81-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/2032-79-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

Drops startup file 1 IoCs

Processes:

cscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StreamX.Lnk cscript.exe
Loads dropped DLL 1 IoCs

Processes:

cscript.exe

pid process

912 cscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StreamX.Lnk	cscript.exe

pid	process
912	cscript.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

description	pid	process	target process
PID 1656 set thread context of 2032	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

pid	process
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
Token: SeDebugPrivilege	2032	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.execmd.exe

description	pid	process	target process
PID 1656 wrote to memory of 912	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cscript.exe
PID 1656 wrote to memory of 912	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cscript.exe
PID 1656 wrote to memory of 912	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cscript.exe
PID 1656 wrote to memory of 912	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cscript.exe
PID 1656 wrote to memory of 2032	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 1656 wrote to memory of 2032	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 1656 wrote to memory of 2032	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 1656 wrote to memory of 2032	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 1656 wrote to memory of 2032	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 1656 wrote to memory of 2032	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 1656 wrote to memory of 2032	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 1656 wrote to memory of 2032	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 1656 wrote to memory of 2032	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 1656 wrote to memory of 2032	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 1656 wrote to memory of 2032	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 1656 wrote to memory of 1344	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cmd.exe
PID 1656 wrote to memory of 1344	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cmd.exe
PID 1656 wrote to memory of 1344	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cmd.exe
PID 1656 wrote to memory of 1344	1656	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cmd.exe
PID 1344 wrote to memory of 1352	1344	cmd.exe	choice.exe
PID 1344 wrote to memory of 1352	1344	cmd.exe	choice.exe
PID 1344 wrote to memory of 1352	1344	cmd.exe	choice.exe
PID 1344 wrote to memory of 1352	1344	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
"C:\Users\Admin\AppData\Local\Temp\052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\StreamX.vbs
2⤵
- Drops startup file
- Loads dropped DLL
PID:912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\StreamX.exe
Filesize
577KB

MD5
1711710d30ed4194ccfde68c6b6f3b22

SHA1
4f399c035bb370610940a96b3aab90eab884a925

SHA256
052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1

SHA512
fbb943b1a20a4fbe0d1d5da5b5b874cb7b728354fc24c4ab1b0d827220052d7b34117980f7a1e993814b83bc02264a8af916a0fd909cbdd065cb11b396fc9353

Download Submit
C:\Users\Admin\StreamX.vbs
Filesize
275B

MD5
cf428ca413e6966414f8bd4e04ee48cb

SHA1
1db80df27ddfd1d81d181bc70c312dd3d4388bff

SHA256
15845597e335f71cad5e9b680bd6f1c7de7ba676dbb275b20b67c8fb9c6fc22e

SHA512
befce47732be9891c364db21c740deb0985c03114b1c1a3f83db03d3c0445a45558005125e25d8c897737f6c99e163b07b8fa28985387bf429cad7af00992f08

Download Submit
\Users\Admin\StreamX.exe
Filesize
577KB

MD5
1711710d30ed4194ccfde68c6b6f3b22

SHA1
4f399c035bb370610940a96b3aab90eab884a925

SHA256
052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1

SHA512
fbb943b1a20a4fbe0d1d5da5b5b874cb7b728354fc24c4ab1b0d827220052d7b34117980f7a1e993814b83bc02264a8af916a0fd909cbdd065cb11b396fc9353

Download Submit
memory/912-59-0x0000000000000000-mapping.dmp

Download
memory/1344-78-0x0000000000000000-mapping.dmp

Download
memory/1352-83-0x0000000000000000-mapping.dmp

Download
memory/1656-67-0x00000000708F0000-0x00000000709EC000-memory.dmp

Filesize
1008KB

Download
memory/1656-68-0x00000000701B0000-0x00000000708EE000-memory.dmp

Filesize
7.2MB

Download
memory/1656-63-0x0000000073740000-0x0000000073F20000-memory.dmp

Filesize
7.9MB

Download
memory/1656-56-0x0000000001DF0000-0x0000000001E2E000-memory.dmp

Filesize
248KB

Download
memory/1656-55-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1656-66-0x00000000709F0000-0x0000000071746000-memory.dmp

Filesize
13.3MB

Download
memory/1656-58-0x0000000072160000-0x00000000734EF000-memory.dmp

Filesize
19.6MB

Download
memory/1656-57-0x0000000001ED0000-0x0000000001EF8000-memory.dmp

Filesize
160KB

Download
memory/1656-69-0x000000006FF90000-0x00000000700B3000-memory.dmp

Filesize
1.1MB

Download
memory/1656-70-0x00000000041F0000-0x00000000041F8000-memory.dmp

Filesize
32KB

Download
memory/1656-94-0x0000000071750000-0x0000000072160000-memory.dmp

Filesize
10.1MB

Download
memory/1656-93-0x0000000072160000-0x00000000734EF000-memory.dmp

Filesize
19.6MB

Download
memory/1656-54-0x0000000000380000-0x0000000000416000-memory.dmp

Filesize
600KB

Download
memory/1656-84-0x000000006F880000-0x000000006FA51000-memory.dmp

Filesize
1.8MB

Download
memory/1656-60-0x0000000071750000-0x0000000072160000-memory.dmp

Filesize
10.1MB

Download
memory/2032-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2032-81-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2032-79-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2032-76-0x0000000000405E0E-mapping.dmp

Download
memory/2032-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2032-85-0x000000006EFE0000-0x000000006F58B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-86-0x000000006E440000-0x000000006EF38000-memory.dmp

Filesize
11.0MB

Download
memory/2032-87-0x000000006DC40000-0x000000006E3DC000-memory.dmp

Filesize
7.6MB

Download
memory/2032-88-0x000000006DAB0000-0x000000006DC38000-memory.dmp

Filesize
1.5MB

Download
memory/2032-89-0x000000006CED0000-0x000000006DAAE000-memory.dmp

Filesize
11.9MB

Download
memory/2032-90-0x000000006CD30000-0x000000006CECB000-memory.dmp

Filesize
1.6MB

Download
memory/2032-91-0x000000006CC30000-0x000000006CD21000-memory.dmp

Filesize
964KB

Download
memory/2032-92-0x000000006C6F0000-0x000000006CC26000-memory.dmp

Filesize
5.2MB

Download
memory/2032-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2032-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2032-95-0x000000006EFE0000-0x000000006F58B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-96-0x000000006E440000-0x000000006EF38000-memory.dmp

Filesize
11.0MB

Download
memory/2032-97-0x000000006DC40000-0x000000006E3DC000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads