xtremerat | d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af

Analysis

max time kernel
146s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe
Size

405KB
MD5

acb6797410609685f65ce25978fbbc71
SHA1

79d4daf4cc98668cf62cf6e1d5e3628e6edbd8b2
SHA256

d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af
SHA512

d3aa92f9bd9876a00cfd079550e6fa82bd2d3d51fc2aea4ed94bf107da0bf6f1093f3abb6a25702711ce8caf722ba089d520f3111586278fa73ba977a6208d5e
SSDEEP

12288:VkqF3zfVnl6VCB+lHOWbtOBEtV1H8UTAti5:VkqF3hoAyx2Vc5

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Adds policy Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeSkype.exeSkype.exeSkype.exed53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exeSkype.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\google = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\google = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Skype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\google = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Skype.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\google = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\google = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\google = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\google = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Skype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\google = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\google = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\google = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Skype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\google = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\google = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Skype.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Skype.exe

Executes dropped EXE 5 IoCs

Processes:

Skype.exeSkype.exeSkype.exeSkype.exeSkype.exe

pid process

984 Skype.exe
1932 Skype.exe
1908 Skype.exe
1048 Skype.exe
1652 Skype.exe

pid	process
984	Skype.exe
1932	Skype.exe
1908	Skype.exe
1048	Skype.exe
1652	Skype.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1124-87-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1124-90-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1124-93-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1124-96-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1124-98-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1124-99-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1124-100-0x0000000001610000-0x0000000001720000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

svchost.exed53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe

pid	process
1548	svchost.exe
1548	svchost.exe
1548	svchost.exe
1548	svchost.exe
1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe
1548	svchost.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Skype.exeSkype.exeSkype.exeSkype.exed53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Skype.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Skype.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Skype.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Skype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\google\\Skype.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Skype.exe

description pid process target process

PID 1048 set thread context of 1124 1048 Skype.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

explorer.exe

pid process

1124 explorer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe

pid process

1544 d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe

description	pid	process	target process
PID 1048 set thread context of 1124	1048	Skype.exe	explorer.exe

pid	process
1124	explorer.exe

pid	process
1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exesvchost.exe

description	pid	process	target process
PID 1544 wrote to memory of 1548	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	svchost.exe
PID 1544 wrote to memory of 1548	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	svchost.exe
PID 1544 wrote to memory of 1548	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	svchost.exe
PID 1544 wrote to memory of 1548	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	svchost.exe
PID 1544 wrote to memory of 1548	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	svchost.exe
PID 1544 wrote to memory of 1720	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 1720	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 1720	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 1720	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 524	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 524	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 524	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 524	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 572	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 572	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 572	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 572	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 1280	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1280	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1280	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1280	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1476	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 1476	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 1476	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 1476	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 1112	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1112	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1112	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1112	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 676	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 676	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 676	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 676	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 700	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 700	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 700	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 700	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 948	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 948	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 948	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 948	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 1488	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1488	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1488	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1488	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 640	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 640	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 640	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 640	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 472	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 472	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 472	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 472	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1332	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 1332	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 1332	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 1332	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	iexplore.exe
PID 1544 wrote to memory of 1716	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1716	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1716	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1544 wrote to memory of 1716	1544	d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe	explorer.exe
PID 1548 wrote to memory of 984	1548	svchost.exe	Skype.exe
PID 1548 wrote to memory of 984	1548	svchost.exe	Skype.exe
PID 1548 wrote to memory of 984	1548	svchost.exe	Skype.exe

C:\Users\Admin\AppData\Local\Temp\d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe
"C:\Users\Admin\AppData\Local\Temp\d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Roaming\google\Skype.exe
"C:\Users\Admin\AppData\Roaming\google\Skype.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
PID:984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1916

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1604

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1800

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1268

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1768

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:912

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2004

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1068

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:2024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1180

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1384

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1564

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1828

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:932

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1328

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1152

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1628

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1296

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:568

C:\Users\Admin\AppData\Roaming\google\Skype.exe
"C:\Users\Admin\AppData\Roaming\google\Skype.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
PID:1932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1972

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1776

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1844

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1372

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1724

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1656

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1940

C:\Users\Admin\AppData\Roaming\google\Skype.exe
"C:\Users\Admin\AppData\Roaming\google\Skype.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
PID:1908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1788

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1632

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:708

C:\Users\Admin\AppData\Roaming\google\Skype.exe
"C:\Users\Admin\AppData\Roaming\google\Skype.exe"
3⤵
- Executes dropped EXE
PID:1652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1720

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:524

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:572

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:1280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1476

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:1112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:676

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:700

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:1488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:640

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:472

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1332

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:1716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1276

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:1580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1832

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:1600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:296

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:564

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:892

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1532

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:800

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:988

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:1424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1468

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1584

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:1624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1352

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:280

C:\Users\Admin\AppData\Roaming\google\Skype.exe
"C:\Users\Admin\AppData\Roaming\google\Skype.exe"
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1988

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VFwig3\VFwig3.nfo
Filesize
3KB

MD5
68b0e56cce929d663e03223b27670144

SHA1
68bab0d2775dc47529be35876c0aea65ca24ceca

SHA256
74e03a39a97b67d6b1cbfc2d947407f58bc9d2b04da05a8f626c86a88748d32e

SHA512
3cd41fbe6227e2e0f769f9a68b74143801a45a393d3d75995c1c6ff800b9f17f226be9ee6496df84476c26308eace3e4392b38cc9b034d7e679cc8ca73025a1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VFwig3\VFwig3.nfo
Filesize
3KB

MD5
68b0e56cce929d663e03223b27670144

SHA1
68bab0d2775dc47529be35876c0aea65ca24ceca

SHA256
74e03a39a97b67d6b1cbfc2d947407f58bc9d2b04da05a8f626c86a88748d32e

SHA512
3cd41fbe6227e2e0f769f9a68b74143801a45a393d3d75995c1c6ff800b9f17f226be9ee6496df84476c26308eace3e4392b38cc9b034d7e679cc8ca73025a1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VFwig3\VFwig3.nfo
Filesize
3KB

MD5
68b0e56cce929d663e03223b27670144

SHA1
68bab0d2775dc47529be35876c0aea65ca24ceca

SHA256
74e03a39a97b67d6b1cbfc2d947407f58bc9d2b04da05a8f626c86a88748d32e

SHA512
3cd41fbe6227e2e0f769f9a68b74143801a45a393d3d75995c1c6ff800b9f17f226be9ee6496df84476c26308eace3e4392b38cc9b034d7e679cc8ca73025a1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VFwig3\VFwig3.svr
Filesize
358KB

MD5
00671f81b85f89f4d846ec178eeff6cb

SHA1
c1809712719f84aa6e0ad8cc5ec20cd62aca615a

SHA256
f4498728dc99d4e0f67d9c0c3a0272b75f5c9b5e2680e0d7e2a4d8bef9da1b4c

SHA512
b31813a82e61d645c32e4f24337803d4ef045439bacc3401d0f724a5ae58d1fa9c17495f7678b09fb3c312f4c012e39f783ee2924461f72b2a05edaea6a4f39c

Download Submit
C:\Users\Admin\AppData\Roaming\google\Skype.exe
Filesize
405KB

MD5
acb6797410609685f65ce25978fbbc71

SHA1
79d4daf4cc98668cf62cf6e1d5e3628e6edbd8b2

SHA256
d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af

SHA512
d3aa92f9bd9876a00cfd079550e6fa82bd2d3d51fc2aea4ed94bf107da0bf6f1093f3abb6a25702711ce8caf722ba089d520f3111586278fa73ba977a6208d5e

Download Submit
C:\Users\Admin\AppData\Roaming\google\Skype.exe
Filesize
405KB

MD5
acb6797410609685f65ce25978fbbc71

SHA1
79d4daf4cc98668cf62cf6e1d5e3628e6edbd8b2

SHA256
d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af

SHA512
d3aa92f9bd9876a00cfd079550e6fa82bd2d3d51fc2aea4ed94bf107da0bf6f1093f3abb6a25702711ce8caf722ba089d520f3111586278fa73ba977a6208d5e

Download Submit
C:\Users\Admin\AppData\Roaming\google\Skype.exe
Filesize
405KB

MD5
acb6797410609685f65ce25978fbbc71

SHA1
79d4daf4cc98668cf62cf6e1d5e3628e6edbd8b2

SHA256
d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af

SHA512
d3aa92f9bd9876a00cfd079550e6fa82bd2d3d51fc2aea4ed94bf107da0bf6f1093f3abb6a25702711ce8caf722ba089d520f3111586278fa73ba977a6208d5e

Download Submit
C:\Users\Admin\AppData\Roaming\google\Skype.exe
Filesize
405KB

MD5
acb6797410609685f65ce25978fbbc71

SHA1
79d4daf4cc98668cf62cf6e1d5e3628e6edbd8b2

SHA256
d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af

SHA512
d3aa92f9bd9876a00cfd079550e6fa82bd2d3d51fc2aea4ed94bf107da0bf6f1093f3abb6a25702711ce8caf722ba089d520f3111586278fa73ba977a6208d5e

Download Submit
C:\Users\Admin\AppData\Roaming\google\Skype.exe
Filesize
405KB

MD5
acb6797410609685f65ce25978fbbc71

SHA1
79d4daf4cc98668cf62cf6e1d5e3628e6edbd8b2

SHA256
d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af

SHA512
d3aa92f9bd9876a00cfd079550e6fa82bd2d3d51fc2aea4ed94bf107da0bf6f1093f3abb6a25702711ce8caf722ba089d520f3111586278fa73ba977a6208d5e

Download Submit
C:\Users\Admin\AppData\Roaming\google\Skype.exe
Filesize
405KB

MD5
acb6797410609685f65ce25978fbbc71

SHA1
79d4daf4cc98668cf62cf6e1d5e3628e6edbd8b2

SHA256
d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af

SHA512
d3aa92f9bd9876a00cfd079550e6fa82bd2d3d51fc2aea4ed94bf107da0bf6f1093f3abb6a25702711ce8caf722ba089d520f3111586278fa73ba977a6208d5e

Download Submit
\Users\Admin\AppData\Roaming\google\Skype.exe
Filesize
405KB

MD5
acb6797410609685f65ce25978fbbc71

SHA1
79d4daf4cc98668cf62cf6e1d5e3628e6edbd8b2

SHA256
d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af

SHA512
d3aa92f9bd9876a00cfd079550e6fa82bd2d3d51fc2aea4ed94bf107da0bf6f1093f3abb6a25702711ce8caf722ba089d520f3111586278fa73ba977a6208d5e

Download Submit
\Users\Admin\AppData\Roaming\google\Skype.exe
Filesize
405KB

MD5
acb6797410609685f65ce25978fbbc71

SHA1
79d4daf4cc98668cf62cf6e1d5e3628e6edbd8b2

SHA256
d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af

SHA512
d3aa92f9bd9876a00cfd079550e6fa82bd2d3d51fc2aea4ed94bf107da0bf6f1093f3abb6a25702711ce8caf722ba089d520f3111586278fa73ba977a6208d5e

Download Submit
\Users\Admin\AppData\Roaming\google\Skype.exe
Filesize
405KB

MD5
acb6797410609685f65ce25978fbbc71

SHA1
79d4daf4cc98668cf62cf6e1d5e3628e6edbd8b2

SHA256
d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af

SHA512
d3aa92f9bd9876a00cfd079550e6fa82bd2d3d51fc2aea4ed94bf107da0bf6f1093f3abb6a25702711ce8caf722ba089d520f3111586278fa73ba977a6208d5e

Download Submit
\Users\Admin\AppData\Roaming\google\Skype.exe
Filesize
405KB

MD5
acb6797410609685f65ce25978fbbc71

SHA1
79d4daf4cc98668cf62cf6e1d5e3628e6edbd8b2

SHA256
d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af

SHA512
d3aa92f9bd9876a00cfd079550e6fa82bd2d3d51fc2aea4ed94bf107da0bf6f1093f3abb6a25702711ce8caf722ba089d520f3111586278fa73ba977a6208d5e

Download Submit
\Users\Admin\AppData\Roaming\google\Skype.exe
Filesize
405KB

MD5
acb6797410609685f65ce25978fbbc71

SHA1
79d4daf4cc98668cf62cf6e1d5e3628e6edbd8b2

SHA256
d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af

SHA512
d3aa92f9bd9876a00cfd079550e6fa82bd2d3d51fc2aea4ed94bf107da0bf6f1093f3abb6a25702711ce8caf722ba089d520f3111586278fa73ba977a6208d5e

Download Submit
\Users\Admin\AppData\Roaming\google\Skype.exe
Filesize
405KB

MD5
acb6797410609685f65ce25978fbbc71

SHA1
79d4daf4cc98668cf62cf6e1d5e3628e6edbd8b2

SHA256
d53abe32da6fc5f9fff8a4e5950c934a754beaeec5b4eb0c793583a5219a73af

SHA512
d3aa92f9bd9876a00cfd079550e6fa82bd2d3d51fc2aea4ed94bf107da0bf6f1093f3abb6a25702711ce8caf722ba089d520f3111586278fa73ba977a6208d5e

Download Submit
memory/984-63-0x0000000000000000-mapping.dmp

Download
memory/1048-77-0x0000000000000000-mapping.dmp

Download
memory/1124-102-0x0000000001611000-0x00000000016C5000-memory.dmp

Filesize
720KB

Download
memory/1124-98-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1124-103-0x00000000016C5000-0x000000000171E000-memory.dmp

Filesize
356KB

Download
memory/1124-101-0x00000000016C5000-0x000000000171E000-memory.dmp

Filesize
356KB

Download
memory/1124-100-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1124-99-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1124-86-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1124-87-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1124-90-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1124-93-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1124-95-0x000000000171D0A0-mapping.dmp

Download
memory/1124-96-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1548-60-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1548-55-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1548-57-0x0000000000000000-mapping.dmp

Download
memory/1652-81-0x0000000000000000-mapping.dmp

Download
memory/1908-72-0x0000000000000000-mapping.dmp

Download
memory/1932-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads