netwire | 77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27

General

Target

77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
Size

267KB
MD5

994f1483002da7a477deced313d479c4
SHA1

f80961a22a97fa8f4c26496b750d8b75e00cc554
SHA256

77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27
SHA512

8e9e30e6ffd3a8cc106c6e4f5c80056cf569e8bd4f15a0adbcefd81cf27f23ad4e6b969053b43ec336f1bd7067c6b94d771a9fcab5035c68a22529966c993ab3
SSDEEP

6144:8lCJckrv/5dKMk8J+/onvXC953fDs1p1GYeOBS0esJaq47z:84JbXrXPS954BDBS0eMadz

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1560-76-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1560-78-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1560-79-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1560-82-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1560-87-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/984-116-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/984-119-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

1920 Host.exe
1948 Host.exe
984 Host.exe
Loads dropped DLL 1 IoCs

Processes:

77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe

pid process

1560 77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe

pid	process
1920	Host.exe
1948	Host.exe
984	Host.exe

pid	process
1560	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exeHost.exeHost.exe

description	pid	process	target process
PID 752 set thread context of 1448	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 1448 set thread context of 1560	1448	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 1920 set thread context of 1948	1920	Host.exe	Host.exe
PID 1948 set thread context of 984	1948	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 11 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.in-Feb-2015\ = "in-Feb-2015_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\in-Feb-2015_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\in-Feb-2015_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\in-Feb-2015_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\in-Feb-2015_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.in-Feb-2015	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\in-Feb-2015_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\in-Feb-2015_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

944 AcroRd32.exe
944 AcroRd32.exe

pid	process
944	AcroRd32.exe
944	AcroRd32.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exeHost.exeHost.exerundll32.exerundll32.exe

description	pid	process	target process
PID 752 wrote to memory of 1996	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	rundll32.exe
PID 752 wrote to memory of 1996	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	rundll32.exe
PID 752 wrote to memory of 1996	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	rundll32.exe
PID 752 wrote to memory of 1996	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	rundll32.exe
PID 752 wrote to memory of 1996	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	rundll32.exe
PID 752 wrote to memory of 1996	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	rundll32.exe
PID 752 wrote to memory of 1996	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	rundll32.exe
PID 752 wrote to memory of 1448	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 752 wrote to memory of 1448	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 752 wrote to memory of 1448	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 752 wrote to memory of 1448	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 752 wrote to memory of 1448	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 752 wrote to memory of 1448	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 752 wrote to memory of 1448	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 752 wrote to memory of 1448	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 752 wrote to memory of 1448	752	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 1448 wrote to memory of 1560	1448	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 1448 wrote to memory of 1560	1448	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 1448 wrote to memory of 1560	1448	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 1448 wrote to memory of 1560	1448	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 1448 wrote to memory of 1560	1448	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 1448 wrote to memory of 1560	1448	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 1448 wrote to memory of 1560	1448	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 1448 wrote to memory of 1560	1448	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 1448 wrote to memory of 1560	1448	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
PID 1560 wrote to memory of 1920	1560	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	Host.exe
PID 1560 wrote to memory of 1920	1560	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	Host.exe
PID 1560 wrote to memory of 1920	1560	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	Host.exe
PID 1560 wrote to memory of 1920	1560	77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe	Host.exe
PID 1920 wrote to memory of 1532	1920	Host.exe	rundll32.exe
PID 1920 wrote to memory of 1532	1920	Host.exe	rundll32.exe
PID 1920 wrote to memory of 1532	1920	Host.exe	rundll32.exe
PID 1920 wrote to memory of 1532	1920	Host.exe	rundll32.exe
PID 1920 wrote to memory of 1532	1920	Host.exe	rundll32.exe
PID 1920 wrote to memory of 1532	1920	Host.exe	rundll32.exe
PID 1920 wrote to memory of 1532	1920	Host.exe	rundll32.exe
PID 1920 wrote to memory of 1948	1920	Host.exe	Host.exe
PID 1920 wrote to memory of 1948	1920	Host.exe	Host.exe
PID 1920 wrote to memory of 1948	1920	Host.exe	Host.exe
PID 1920 wrote to memory of 1948	1920	Host.exe	Host.exe
PID 1920 wrote to memory of 1948	1920	Host.exe	Host.exe
PID 1920 wrote to memory of 1948	1920	Host.exe	Host.exe
PID 1920 wrote to memory of 1948	1920	Host.exe	Host.exe
PID 1920 wrote to memory of 1948	1920	Host.exe	Host.exe
PID 1920 wrote to memory of 1948	1920	Host.exe	Host.exe
PID 1948 wrote to memory of 984	1948	Host.exe	Host.exe
PID 1948 wrote to memory of 984	1948	Host.exe	Host.exe
PID 1948 wrote to memory of 984	1948	Host.exe	Host.exe
PID 1948 wrote to memory of 984	1948	Host.exe	Host.exe
PID 1948 wrote to memory of 984	1948	Host.exe	Host.exe
PID 1948 wrote to memory of 984	1948	Host.exe	Host.exe
PID 1948 wrote to memory of 984	1948	Host.exe	Host.exe
PID 1948 wrote to memory of 984	1948	Host.exe	Host.exe
PID 1948 wrote to memory of 984	1948	Host.exe	Host.exe
PID 1532 wrote to memory of 944	1532	rundll32.exe	AcroRd32.exe
PID 1532 wrote to memory of 944	1532	rundll32.exe	AcroRd32.exe
PID 1532 wrote to memory of 944	1532	rundll32.exe	AcroRd32.exe
PID 1532 wrote to memory of 944	1532	rundll32.exe	AcroRd32.exe
PID 1996 wrote to memory of 284	1996	rundll32.exe	AcroRd32.exe
PID 1996 wrote to memory of 284	1996	rundll32.exe	AcroRd32.exe
PID 1996 wrote to memory of 284	1996	rundll32.exe	AcroRd32.exe
PID 1996 wrote to memory of 284	1996	rundll32.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
"C:\Users\Admin\AppData\Local\Temp\77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\adobe.in-Feb-2015
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.in-Feb-2015"
3⤵
PID:284

C:\Users\Admin\AppData\Local\Temp\77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
"C:\Users\Admin\AppData\Local\Temp\77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe
"C:\Users\Admin\AppData\Local\Temp\77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Roaming\Install\Host.exe
-m "C:\Users\Admin\AppData\Local\Temp\77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\adobe.in-Feb-2015
5⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.in-Feb-2015"
6⤵
- Suspicious use of SetWindowsHookEx
PID:944

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
6⤵
- Executes dropped EXE
PID:984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobe.in-Feb-2015
Filesize
987B

MD5
0168824362506b61c65334cf5daa112a

SHA1
af253bc814c9eac22ce0b21044ae4dfb7d0172a0

SHA256
eb1b9b72f32737036f99ba31dec04f091a2f40f83ec47da200116a3d9e7dfb09

SHA512
61b6cb591d4069f2daf85754d3cd8c45b05617df67ebd2197d3da38d371f1133fc5011e90d76efe1d23e8b957ec39bfb5c9a80cd32abfa80ef056f0f3210d0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe.in-Feb-2015
Filesize
987B

MD5
0168824362506b61c65334cf5daa112a

SHA1
af253bc814c9eac22ce0b21044ae4dfb7d0172a0

SHA256
eb1b9b72f32737036f99ba31dec04f091a2f40f83ec47da200116a3d9e7dfb09

SHA512
61b6cb591d4069f2daf85754d3cd8c45b05617df67ebd2197d3da38d371f1133fc5011e90d76efe1d23e8b957ec39bfb5c9a80cd32abfa80ef056f0f3210d0a8

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
267KB

MD5
994f1483002da7a477deced313d479c4

SHA1
f80961a22a97fa8f4c26496b750d8b75e00cc554

SHA256
77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27

SHA512
8e9e30e6ffd3a8cc106c6e4f5c80056cf569e8bd4f15a0adbcefd81cf27f23ad4e6b969053b43ec336f1bd7067c6b94d771a9fcab5035c68a22529966c993ab3

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
267KB

MD5
994f1483002da7a477deced313d479c4

SHA1
f80961a22a97fa8f4c26496b750d8b75e00cc554

SHA256
77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27

SHA512
8e9e30e6ffd3a8cc106c6e4f5c80056cf569e8bd4f15a0adbcefd81cf27f23ad4e6b969053b43ec336f1bd7067c6b94d771a9fcab5035c68a22529966c993ab3

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
267KB

MD5
994f1483002da7a477deced313d479c4

SHA1
f80961a22a97fa8f4c26496b750d8b75e00cc554

SHA256
77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27

SHA512
8e9e30e6ffd3a8cc106c6e4f5c80056cf569e8bd4f15a0adbcefd81cf27f23ad4e6b969053b43ec336f1bd7067c6b94d771a9fcab5035c68a22529966c993ab3

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
267KB

MD5
994f1483002da7a477deced313d479c4

SHA1
f80961a22a97fa8f4c26496b750d8b75e00cc554

SHA256
77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27

SHA512
8e9e30e6ffd3a8cc106c6e4f5c80056cf569e8bd4f15a0adbcefd81cf27f23ad4e6b969053b43ec336f1bd7067c6b94d771a9fcab5035c68a22529966c993ab3

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
267KB

MD5
994f1483002da7a477deced313d479c4

SHA1
f80961a22a97fa8f4c26496b750d8b75e00cc554

SHA256
77c4fe1378a2357f98acdac2bb027ad1cd24cfd17e4b9a669be256fa0ff93a27

SHA512
8e9e30e6ffd3a8cc106c6e4f5c80056cf569e8bd4f15a0adbcefd81cf27f23ad4e6b969053b43ec336f1bd7067c6b94d771a9fcab5035c68a22529966c993ab3

Download Submit
memory/284-123-0x0000000000000000-mapping.dmp

Download
memory/752-69-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/752-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/944-120-0x0000000000000000-mapping.dmp

Download
memory/984-116-0x0000000000402196-mapping.dmp

Download
memory/984-119-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1448-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1448-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1448-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1448-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1448-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1448-83-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1448-63-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1448-64-0x00000000004273EE-mapping.dmp

Download
memory/1448-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1532-91-0x0000000000000000-mapping.dmp

Download
memory/1560-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1560-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1560-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1560-76-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1560-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1560-82-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1560-79-0x0000000000402196-mapping.dmp

Download
memory/1560-78-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1920-85-0x0000000000000000-mapping.dmp

Download
memory/1920-107-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-118-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-105-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1948-103-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1948-100-0x00000000004273EE-mapping.dmp

Download
memory/1996-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads