betabot | 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536

General

Target

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Size

285KB
MD5

01daf4f618eac4c7379b4d1f8046deaa
SHA1

c73db227644dc6cc6d9b7fb91468014572507b4d
SHA256

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536
SHA512

435380deca7baf660e8a6b673d02ff6478bc6d823ca416b04a4ff758ffb7c821d5495f9870e9a8bbe513bde229ad5a114e44283160146e205e49d9489fbad465
SSDEEP

6144:JAsBZACyfs1vYtn9BqNmJ5y52jzm2YYrTASZ:YCyfsYBT5yEqM7Z

Score

10^/10

betabot backdoor botnet evasion persistence trojan

Malware Config

Signatures

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "kbt.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7isi31gqwi7.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7isi31gqwi7.exe\DisableExceptionChainValidation	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe
Loads dropped DLL 1 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

pid process

944 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

pid	process
944	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Search 5.3.10 = "C:\\ProgramData\\Windows Search 5.3.10\\7isi31gqwi7.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Search 5.3.10 = "\"C:\\ProgramData\\Windows Search 5.3.10\\7isi31gqwi7.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

description	ioc	process
File created	C:\ProgramData\Windows Search 5.3.10\desktop.ini	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
File opened for modification	C:\ProgramData\Windows Search 5.3.10\desktop.ini	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exe

pid	process
576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

description	pid	process	target process
PID 944 set thread context of 576	944	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

explorer.exe

pid	process
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exe

pid	process
576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

pid process

576 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeRestorePrivilege	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeBackupPrivilege	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeLoadDriverPrivilege	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeCreatePagefilePrivilege	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeShutdownPrivilege	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeTakeOwnershipPrivilege	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeChangeNotifyPrivilege	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeCreateTokenPrivilege	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeMachineAccountPrivilege	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeSecurityPrivilege	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeAssignPrimaryTokenPrivilege	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeCreateGlobalPrivilege	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: 33	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeDebugPrivilege	1336	explorer.exe
Token: SeRestorePrivilege	1336	explorer.exe
Token: SeBackupPrivilege	1336	explorer.exe
Token: SeLoadDriverPrivilege	1336	explorer.exe
Token: SeCreatePagefilePrivilege	1336	explorer.exe
Token: SeShutdownPrivilege	1336	explorer.exe
Token: SeTakeOwnershipPrivilege	1336	explorer.exe
Token: SeChangeNotifyPrivilege	1336	explorer.exe
Token: SeCreateTokenPrivilege	1336	explorer.exe
Token: SeMachineAccountPrivilege	1336	explorer.exe
Token: SeSecurityPrivilege	1336	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	1336	explorer.exe
Token: SeCreateGlobalPrivilege	1336	explorer.exe
Token: 33	1336	explorer.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exe

description	pid	process	target process
PID 944 wrote to memory of 576	944	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 944 wrote to memory of 576	944	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 944 wrote to memory of 576	944	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 944 wrote to memory of 576	944	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 944 wrote to memory of 576	944	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 944 wrote to memory of 576	944	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 944 wrote to memory of 576	944	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 944 wrote to memory of 576	944	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 944 wrote to memory of 576	944	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 944 wrote to memory of 576	944	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 944 wrote to memory of 576	944	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 576 wrote to memory of 1336	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	explorer.exe
PID 576 wrote to memory of 1336	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	explorer.exe
PID 576 wrote to memory of 1336	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	explorer.exe
PID 576 wrote to memory of 1336	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	explorer.exe
PID 576 wrote to memory of 1336	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	explorer.exe
PID 576 wrote to memory of 1336	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	explorer.exe
PID 576 wrote to memory of 1336	576	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	explorer.exe
PID 1336 wrote to memory of 1168	1336	explorer.exe	Dwm.exe
PID 1336 wrote to memory of 1168	1336	explorer.exe	Dwm.exe
PID 1336 wrote to memory of 1168	1336	explorer.exe	Dwm.exe
PID 1336 wrote to memory of 1168	1336	explorer.exe	Dwm.exe
PID 1336 wrote to memory of 1168	1336	explorer.exe	Dwm.exe
PID 1336 wrote to memory of 1168	1336	explorer.exe	Dwm.exe
PID 1336 wrote to memory of 1204	1336	explorer.exe	Explorer.EXE
PID 1336 wrote to memory of 1204	1336	explorer.exe	Explorer.EXE
PID 1336 wrote to memory of 1204	1336	explorer.exe	Explorer.EXE
PID 1336 wrote to memory of 1204	1336	explorer.exe	Explorer.EXE
PID 1336 wrote to memory of 1204	1336	explorer.exe	Explorer.EXE
PID 1336 wrote to memory of 1204	1336	explorer.exe	Explorer.EXE
PID 1336 wrote to memory of 1924	1336	explorer.exe	DllHost.exe
PID 1336 wrote to memory of 1924	1336	explorer.exe	DllHost.exe
PID 1336 wrote to memory of 1924	1336	explorer.exe	DllHost.exe
PID 1336 wrote to memory of 1924	1336	explorer.exe	DllHost.exe
PID 1336 wrote to memory of 1924	1336	explorer.exe	DllHost.exe
PID 1336 wrote to memory of 1924	1336	explorer.exe	DllHost.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
"C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
"C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe"
3⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

6

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsoA834.tmp\skiers.dll
Filesize
228KB

MD5
fc7a721c4e3c90b9598d7c81fe77e726

SHA1
fe84f4d480c5da5e55c09842b74d502b03736770

SHA256
d059347af564675db2b15bf372282457e4c4b829712ef67c1aa2864b8c706c6d

SHA512
7bcc246a883e12c4f8965e99f2288e13d8a754600159240df6f881818d54a611b6cbdbe7364aa992405388f8b6b68fa6ad369f53f2fe1bba724cec699e2a0f8a

Download Submit
memory/576-70-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/576-57-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/576-73-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/576-74-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/576-59-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/576-60-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/576-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/576-63-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/576-64-0x00000000004015C6-mapping.dmp

Download
memory/576-66-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/576-67-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/576-72-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/576-79-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/576-56-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/576-58-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/576-78-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/944-54-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1204-85-0x0000000002600000-0x0000000002606000-memory.dmp

Filesize
24KB

Download
memory/1336-77-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1336-75-0x0000000000000000-mapping.dmp

Download
memory/1336-80-0x0000000077DD0000-0x0000000077F50000-memory.dmp

Filesize
1.5MB

Download
memory/1336-81-0x0000000000090000-0x000000000013B000-memory.dmp

Filesize
684KB

Download
memory/1336-82-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/1336-83-0x0000000077DD0000-0x0000000077F50000-memory.dmp

Filesize
1.5MB

Download
memory/1336-84-0x0000000000090000-0x000000000013B000-memory.dmp

Filesize
684KB

Download
memory/1924-86-0x0000000000100000-0x0000000000106000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads