netwire | 823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4

General

Target

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
Size

322KB
MD5

8c6786529c56bfe3802712e393a13e4c
SHA1

e88851e8fb9b948911616d4fad67e3f4b7b970af
SHA256

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4
SHA512

769a5434ebc6079dbd9d056e6b31d1bcc7338bb209e376b6b02d85476348e9fff8d098c5dbdea9eb11e26d09ed6b2f619198aa1c02c68732a0bf29be6e21f46d
SSDEEP

3072:is9Poak1p9oc77gB2Iz3p2j1abSHLTXaUjxTsqu7oDE7wuTJOu:3PoDj9/EBnUpPXFBZl4Jl

Score

10^/10

netwire botnet evasion rat stealer trojan

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2716-135-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2716-137-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2716-141-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe

Executes dropped EXE 3 IoCs

Processes:

AppMgnt.exehknswc.exeAppMgnt.exe

pid process

3140 AppMgnt.exe
4396 hknswc.exe
3396 AppMgnt.exe

pid	process
3140	AppMgnt.exe
4396	hknswc.exe
3396	AppMgnt.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exeAppMgnt.exehknswc.exeAppMgnt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	AppMgnt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	hknswc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	AppMgnt.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\.Identifier svchost.exe
File opened for modification C:\Windows\SysWOW64\.Identifier svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\.Identifier	svchost.exe
File opened for modification	C:\Windows\SysWOW64\.Identifier	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exehknswc.exe

description	pid	process	target process
PID 2792 set thread context of 2716	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 4396 set thread context of 1412	4396	hknswc.exe	svchost.exe

Drops file in Windows directory 3 IoCs

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
File created	C:\Windows\assembly\Desktop.ini	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4964 schtasks.exe
2508 schtasks.exe

pid	process
4964	schtasks.exe
2508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exeAppMgnt.exehknswc.exeAppMgnt.exe

pid	process
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
3140	AppMgnt.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
3140	AppMgnt.exe
3140	AppMgnt.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
3140	AppMgnt.exe
3140	AppMgnt.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
3140	AppMgnt.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
3140	AppMgnt.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
3140	AppMgnt.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
3140	AppMgnt.exe
3140	AppMgnt.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
3140	AppMgnt.exe
4396	hknswc.exe
4396	hknswc.exe
4396	hknswc.exe
4396	hknswc.exe
4396	hknswc.exe
4396	hknswc.exe
4396	hknswc.exe
4396	hknswc.exe
3396	AppMgnt.exe
4396	hknswc.exe
3396	AppMgnt.exe
4396	hknswc.exe
3396	AppMgnt.exe
4396	hknswc.exe
3396	AppMgnt.exe
4396	hknswc.exe
3396	AppMgnt.exe
4396	hknswc.exe
3396	AppMgnt.exe
4396	hknswc.exe
3396	AppMgnt.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exeAppMgnt.exehknswc.exeAppMgnt.exe

description	pid	process
Token: SeDebugPrivilege	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
Token: SeDebugPrivilege	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
Token: SeDebugPrivilege	3140	AppMgnt.exe
Token: SeDebugPrivilege	4396	hknswc.exe
Token: SeDebugPrivilege	3396	AppMgnt.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exeAppMgnt.exehknswc.exeAppMgnt.exe

description	pid	process	target process
PID 2792 wrote to memory of 2716	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 2792 wrote to memory of 2716	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 2792 wrote to memory of 2716	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 2792 wrote to memory of 2716	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 2792 wrote to memory of 2716	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 2792 wrote to memory of 2716	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 2792 wrote to memory of 2716	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 2792 wrote to memory of 2716	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 2792 wrote to memory of 3140	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	AppMgnt.exe
PID 2792 wrote to memory of 3140	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	AppMgnt.exe
PID 2792 wrote to memory of 3140	2792	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	AppMgnt.exe
PID 3140 wrote to memory of 2508	3140	AppMgnt.exe	schtasks.exe
PID 3140 wrote to memory of 2508	3140	AppMgnt.exe	schtasks.exe
PID 3140 wrote to memory of 2508	3140	AppMgnt.exe	schtasks.exe
PID 3140 wrote to memory of 4396	3140	AppMgnt.exe	hknswc.exe
PID 3140 wrote to memory of 4396	3140	AppMgnt.exe	hknswc.exe
PID 3140 wrote to memory of 4396	3140	AppMgnt.exe	hknswc.exe
PID 4396 wrote to memory of 1412	4396	hknswc.exe	svchost.exe
PID 4396 wrote to memory of 1412	4396	hknswc.exe	svchost.exe
PID 4396 wrote to memory of 1412	4396	hknswc.exe	svchost.exe
PID 4396 wrote to memory of 1412	4396	hknswc.exe	svchost.exe
PID 4396 wrote to memory of 1412	4396	hknswc.exe	svchost.exe
PID 4396 wrote to memory of 1412	4396	hknswc.exe	svchost.exe
PID 4396 wrote to memory of 1412	4396	hknswc.exe	svchost.exe
PID 4396 wrote to memory of 1412	4396	hknswc.exe	svchost.exe
PID 4396 wrote to memory of 3396	4396	hknswc.exe	AppMgnt.exe
PID 4396 wrote to memory of 3396	4396	hknswc.exe	AppMgnt.exe
PID 4396 wrote to memory of 3396	4396	hknswc.exe	AppMgnt.exe
PID 3396 wrote to memory of 4964	3396	AppMgnt.exe	schtasks.exe
PID 3396 wrote to memory of 4964	3396	AppMgnt.exe	schtasks.exe
PID 3396 wrote to memory of 4964	3396	AppMgnt.exe	schtasks.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe

C:\Users\Admin\AppData\Local\Temp\823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
"C:\Users\Admin\AppData\Local\Temp\823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2792

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Drops file in System32 directory
PID:2716

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2508

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
PID:1412

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AppMgnt.exe.log
Filesize
404B

MD5
fcc802ed7e1aa47a9e0ba0420dac1632

SHA1
f7a7b06f14790b2e33a66fa6c318f940a6637786

SHA256
676475b51aec5bc3cbd324aca7091e8e63465b0cc77d85a02db484754c4fa7e1

SHA512
df8e129fb26cc87e3f76f69c7bf142116762cfe0377599f353cb2230a3ad992ad358ddba2c46a02e1bb14e4054f3df19b028a6a44699584f2a7f9f4c53092c43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
Filesize
322KB

MD5
8c6786529c56bfe3802712e393a13e4c

SHA1
e88851e8fb9b948911616d4fad67e3f4b7b970af

SHA256
823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4

SHA512
769a5434ebc6079dbd9d056e6b31d1bcc7338bb209e376b6b02d85476348e9fff8d098c5dbdea9eb11e26d09ed6b2f619198aa1c02c68732a0bf29be6e21f46d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
Filesize
322KB

MD5
8c6786529c56bfe3802712e393a13e4c

SHA1
e88851e8fb9b948911616d4fad67e3f4b7b970af

SHA256
823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4

SHA512
769a5434ebc6079dbd9d056e6b31d1bcc7338bb209e376b6b02d85476348e9fff8d098c5dbdea9eb11e26d09ed6b2f619198aa1c02c68732a0bf29be6e21f46d

Download Submit
memory/1412-151-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1412-150-0x0000000000000000-mapping.dmp

Download
memory/2508-145-0x0000000000000000-mapping.dmp

Download
memory/2716-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2716-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2716-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2716-134-0x0000000000000000-mapping.dmp

Download
memory/2792-154-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2792-133-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2792-132-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3140-138-0x0000000000000000-mapping.dmp

Download
memory/3140-143-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3140-142-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3140-153-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3396-155-0x0000000000000000-mapping.dmp

Download
memory/3396-160-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3396-159-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/4396-148-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/4396-146-0x0000000000000000-mapping.dmp

Download
memory/4396-149-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/4964-158-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads