kronos | da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac

General

Target

da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
Size

334KB
MD5

bbffe40abd328fb813488525582a739c
SHA1

e2d911da1f333a890224f5a2a64ff2519ffcd62c
SHA256

da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac
SHA512

6b37392fbdfff463aca6e58a83cbaf7a7da4dddebe09fb0f442e503cda1a3d1c6501e054c6b6c921d1bcfa5bf41f3be9d0ed87cbceec51fe85bd113bf74020b5
SSDEEP

6144:P8hbjRDRuvYSggJCsiQbFzjRLdQPanA9fcW7DWaF:P8qYlcCVQbVjNK7/7DWaF

Score

10^/10

kronos banker botnet evasion persistence

Malware Config

Signatures

Kronos
banker botnet kronos

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{E3694CAA-0B9E-49DB-B0B0-86064FF94103}\\f5ea51da.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{E3694CAA-0B9E-49DB-B0B0-86064FF94103}\\f5ea51da.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe

description	pid	process	target process
PID 2000 set thread context of 1956	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 set thread context of 1488	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe

Drops file in Windows directory 1 IoCs

Processes:

description ioc process

File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf

description	ioc	process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe

Suspicious behavior: MapViewOfSection 27 IoCs

Processes:

da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exesvchost.exe

pid	process
1488	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
1488	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeRestorePrivilege	880
Token: SeSystemEnvironmentPrivilege	880
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeSystemtimePrivilege	880
Token: SeBackupPrivilege	880
Token: SeRestorePrivilege	880
Token: SeShutdownPrivilege	880
Token: SeSystemEnvironmentPrivilege	880
Token: SeUndockPrivilege	880
Token: SeManageVolumePrivilege	880
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeRestorePrivilege	880
Token: SeSystemEnvironmentPrivilege	880
Token: SeAssignPrimaryTokenPrivilege	880
Token: SeIncreaseQuotaPrivilege	880
Token: SeSecurityPrivilege	880
Token: SeTakeOwnershipPrivilege	880
Token: SeLoadDriverPrivilege	880
Token: SeRestorePrivilege	880
Token: SeSystemEnvironmentPrivilege	880
Token: SeAuditPrivilege	880

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1224
1224
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1224
1224
Suspicious use of UnmapMainImage 5 IoCs

Processes:

pid process

816
816
816
816
816

pid	process
1224
1224

pid	process
1224
1224

pid	process
816
816
816
816
816

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exeda3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exeda3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.execalc.exe

description	pid	process	target process
PID 2000 wrote to memory of 1956	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1956	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1956	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1956	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1956	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1956	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1956	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1956	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1956	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1956	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1956	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1488	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1488	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1488	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1488	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1488	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1488	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1488	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1488	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1488	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1488	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 2000 wrote to memory of 1488	2000	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
PID 1488 wrote to memory of 1664	1488	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	svchost.exe
PID 1488 wrote to memory of 1664	1488	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	svchost.exe
PID 1488 wrote to memory of 1664	1488	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	svchost.exe
PID 1488 wrote to memory of 1664	1488	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	svchost.exe
PID 1956 wrote to memory of 956	1956	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	calc.exe
PID 1956 wrote to memory of 956	1956	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	calc.exe
PID 1956 wrote to memory of 956	1956	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	calc.exe
PID 1956 wrote to memory of 956	1956	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	calc.exe
PID 1956 wrote to memory of 956	1956	da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe	calc.exe
PID 384 wrote to memory of 956	384		calc.exe
PID 384 wrote to memory of 1400	384		notepad.exe
PID 384 wrote to memory of 1400	384		notepad.exe
PID 384 wrote to memory of 1400	384		notepad.exe
PID 384 wrote to memory of 1400	384		notepad.exe
PID 956 wrote to memory of 1400	956	calc.exe	notepad.exe
PID 956 wrote to memory of 1400	956	calc.exe	notepad.exe
PID 956 wrote to memory of 1400	956	calc.exe	notepad.exe
PID 956 wrote to memory of 1400	956	calc.exe	notepad.exe
PID 956 wrote to memory of 1400	956	calc.exe	notepad.exe
PID 384 wrote to memory of 1400	384		notepad.exe

C:\Users\Admin\AppData\Local\Temp\da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
"C:\Users\Admin\AppData\Local\Temp\da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
"C:\Users\Admin\AppData\Local\Temp\da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\calc.exe
"C:\Windows\SysWOW64\calc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\SysWOW64\notepad.exe"
4⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe
"C:\Users\Admin\AppData\Local\Temp\da3579010191adc0aa1bdc287fbb338d9c4aea5b0ce39bb4f8af3d27bfc097ac.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/260-97-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/296-112-0x0000000000B60000-0x0000000000B65000-memory.dmp

Filesize
20KB

Download
memory/336-99-0x0000000001F00000-0x0000000001F05000-memory.dmp

Filesize
20KB

Download
memory/372-100-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/384-101-0x0000000000490000-0x0000000000495000-memory.dmp

Filesize
20KB

Download
memory/420-102-0x0000000000050000-0x0000000000055000-memory.dmp

Filesize
20KB

Download
memory/468-103-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/476-104-0x0000000000190000-0x0000000000195000-memory.dmp

Filesize
20KB

Download
memory/484-105-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/600-106-0x0000000000520000-0x0000000000525000-memory.dmp

Filesize
20KB

Download
memory/676-107-0x00000000003C0000-0x00000000003C5000-memory.dmp

Filesize
20KB

Download
memory/760-108-0x0000000000900000-0x0000000000905000-memory.dmp

Filesize
20KB

Download
memory/816-109-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/856-110-0x00000000006A0000-0x00000000006A5000-memory.dmp

Filesize
20KB

Download
memory/880-111-0x00000000009F0000-0x00000000009F5000-memory.dmp

Filesize
20KB

Download
memory/956-135-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download
memory/956-123-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download
memory/956-124-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/956-92-0x0000000000000000-mapping.dmp

Download
memory/1028-115-0x0000000000190000-0x0000000000195000-memory.dmp

Filesize
20KB

Download
memory/1076-116-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1132-113-0x0000000000210000-0x0000000000215000-memory.dmp

Filesize
20KB

Download
memory/1184-118-0x0000000000330000-0x0000000000335000-memory.dmp

Filesize
20KB

Download
memory/1224-114-0x0000000002190000-0x0000000002195000-memory.dmp

Filesize
20KB

Download
memory/1252-121-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download
memory/1400-134-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1400-132-0x0000000000000000-mapping.dmp

Download
memory/1488-80-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1488-72-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1488-69-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1488-74-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1488-88-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1488-76-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1488-68-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1488-77-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1488-86-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1488-81-0x0000000000415EBC-mapping.dmp

Download
memory/1632-119-0x00000000007E0000-0x00000000007E5000-memory.dmp

Filesize
20KB

Download
memory/1664-89-0x0000000000000000-mapping.dmp

Download
memory/1664-98-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/1664-95-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1664-120-0x0000000002160000-0x0000000002324000-memory.dmp

Filesize
1.8MB

Download
memory/1664-96-0x00000000001A0000-0x00000000001A5000-memory.dmp

Filesize
20KB

Download
memory/1908-122-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download
memory/1956-87-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1956-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1956-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1956-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1956-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1956-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1956-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1956-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1956-78-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1956-66-0x0000000000403850-mapping.dmp

Download
memory/2000-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/2000-84-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2000-83-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/2020-117-0x0000000000100000-0x0000000000105000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads