c0bd2850fc1fdafa2cf0768b94076a87f32fc11babfcb034c0f7563a4541ec28

General

Target

Schwab_Desktop_v2.7.exe
Size

401.9MB
MD5

800a60c9de653f119035b42984f47e01
SHA1

95d3c504865aa0c30bb24c4de3a3fc2880a8facc
SHA256

b566086aa3efcbfe88ec27884e365a671c02879166d2b3a5cde186b3d0f951c5
SHA512

0a35c622da1ea03a2021b6b98af9e3b0f48a236684a2e8a74accc1633b976d2fb927e196a763633c83af27a0f1b9e100a9ac5c94975ad410412d7035bab2ba8b
SSDEEP

98304:Jg6OOOW638tFjYat5ddWLdpcXSpThOigPRzRR+JK:FF66FjYaFdWwXSphOig5dR+g

Score

8^/10

collection discovery spyware stealer vmprotect

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

89 2488 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

BE00.exejwvirgb

pid process

4656 BE00.exe
3904 jwvirgb

flow	pid	process
89	2488	rundll32.exe

pid	process
4656	BE00.exe
3904	jwvirgb

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2100-132-0x0000000000400000-0x00000000009DB000-memory.dmp	vmprotect
behavioral2/memory/2100-133-0x0000000000400000-0x00000000009DB000-memory.dmp	vmprotect
behavioral2/memory/2100-134-0x0000000000400000-0x00000000009DB000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Roaming\jwvirgb	vmprotect
C:\Users\Admin\AppData\Roaming\jwvirgb	vmprotect
behavioral2/memory/3904-190-0x0000000000400000-0x00000000009DB000-memory.dmp	vmprotect
behavioral2/memory/3904-191-0x0000000000400000-0x00000000009DB000-memory.dmp	vmprotect
behavioral2/memory/3904-192-0x0000000000400000-0x00000000009DB000-memory.dmp	vmprotect

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2488 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2488	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5100 2488 WerFault.exe rundll32.exe

pid	pid_target	process	target process
5100	2488	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Schwab_Desktop_v2.7.exejwvirgb

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Schwab_Desktop_v2.7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Schwab_Desktop_v2.7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Schwab_Desktop_v2.7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwvirgb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwvirgb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwvirgb

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Schwab_Desktop_v2.7.exe

pid	process
2100	Schwab_Desktop_v2.7.exe
2100	Schwab_Desktop_v2.7.exe
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2720
Suspicious behavior: MapViewOfSection 22 IoCs

Processes:

Schwab_Desktop_v2.7.exejwvirgb

pid process

2100 Schwab_Desktop_v2.7.exe
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
3904 jwvirgb

pid	process
2720

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

BE00.exe

description	pid	process	target process
PID 2720 wrote to memory of 4656	2720		BE00.exe
PID 2720 wrote to memory of 4656	2720		BE00.exe
PID 2720 wrote to memory of 4656	2720		BE00.exe
PID 2720 wrote to memory of 4844	2720		explorer.exe
PID 2720 wrote to memory of 4844	2720		explorer.exe
PID 2720 wrote to memory of 4844	2720		explorer.exe
PID 2720 wrote to memory of 4844	2720		explorer.exe
PID 2720 wrote to memory of 4092	2720		explorer.exe
PID 2720 wrote to memory of 4092	2720		explorer.exe
PID 2720 wrote to memory of 4092	2720		explorer.exe
PID 2720 wrote to memory of 1480	2720		explorer.exe
PID 2720 wrote to memory of 1480	2720		explorer.exe
PID 2720 wrote to memory of 1480	2720		explorer.exe
PID 2720 wrote to memory of 1480	2720		explorer.exe
PID 2720 wrote to memory of 4512	2720		explorer.exe
PID 2720 wrote to memory of 4512	2720		explorer.exe
PID 2720 wrote to memory of 4512	2720		explorer.exe
PID 2720 wrote to memory of 4512	2720		explorer.exe
PID 2720 wrote to memory of 836	2720		explorer.exe
PID 2720 wrote to memory of 836	2720		explorer.exe
PID 2720 wrote to memory of 836	2720		explorer.exe
PID 2720 wrote to memory of 3768	2720		explorer.exe
PID 2720 wrote to memory of 3768	2720		explorer.exe
PID 2720 wrote to memory of 3768	2720		explorer.exe
PID 2720 wrote to memory of 3768	2720		explorer.exe
PID 2720 wrote to memory of 508	2720		explorer.exe
PID 2720 wrote to memory of 508	2720		explorer.exe
PID 2720 wrote to memory of 508	2720		explorer.exe
PID 2720 wrote to memory of 3892	2720		explorer.exe
PID 2720 wrote to memory of 3892	2720		explorer.exe
PID 2720 wrote to memory of 3892	2720		explorer.exe
PID 2720 wrote to memory of 3892	2720		explorer.exe
PID 2720 wrote to memory of 1276	2720		explorer.exe
PID 2720 wrote to memory of 1276	2720		explorer.exe
PID 2720 wrote to memory of 1276	2720		explorer.exe
PID 2720 wrote to memory of 444	2720		explorer.exe
PID 2720 wrote to memory of 444	2720		explorer.exe
PID 2720 wrote to memory of 444	2720		explorer.exe
PID 2720 wrote to memory of 444	2720		explorer.exe
PID 4656 wrote to memory of 2488	4656	BE00.exe	rundll32.exe
PID 4656 wrote to memory of 2488	4656	BE00.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\Schwab_Desktop_v2.7.exe
"C:\Users\Admin\AppData\Local\Temp\Schwab_Desktop_v2.7.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2100

C:\Users\Admin\AppData\Local\Temp\BE00.exe
C:\Users\Admin\AppData\Local\Temp\BE00.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\system32\rundll32.exe
"C:\Users\Admin\AppData\Roaming\nsis_unse58491a.dll",PrintUIEntry |5CQkOhiAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAOVkHwBs8|AtBTkAY|sAQjsAMABBAHf7AG05AE0ARgBW7wBLAG8tAllIg||sKOgEAgAASP+DxCjDzMzMTP+JRCQYSIlUJL8QSIlMJAhZAUj|i0QkMEiJBCT2fQE4SGsACEjHRNskEC0B6w59ARBI14PAAYsBEH0BQEjtOZIAcyWbA4sMJP9IA8hIi8FIi|VMpwFUdwAD0UiLf8qKCYgI68FiBb9lSIsEJWDz8DP|yUiLUBhIO9H|dDZIg8IgSIv|Akg7wnQqZoP|eEgYdRpMi0D|UGZBgzhrdAfuDRFLdQgNEHgQLv90BUiLAOvVSOuLSPkAwWYAQFNV|1ZXQVRBVUFW+0FXWQFmgTlNWv9Ni|hMi|JIi+|ZD4X88|BMY0n|PEGBPAlQRQDvAA+F6vPwQYuE+wmI8|CFwEiNPO8BD4TWZhGDvAndjC0BD4TH8|BEi|9nIESLXxyLd|8kRItPGEwD4f9MA9lIA|Ezyb9FhckPhKTz8E3|i8RBixBFM9L|SAPTigKEwHT|HUHByg0PvsDe9gABRAPQuxF17P9Bgfqq|A18dP8Og8EBSYPABP9BO8lzaevGi||BD7cMTkWLLP+LTAPrdFgz7b6mEHRRQYsUvQDT|zPJigJMi8Lrtw|BycQRA8jhEAH3QYoA0RDtM8Azn|ZBOwy23BCiAIP|xgGD+Ahy7uv|CkiLy0H|1UnfiQT3g8XgEMQE3ztvGHKvYgFBX|9BXkFdQVxfXvtdWy8XSIHsYAH+YACL6ehm|v||v0iFwA+EmXEgTPWNqwGLJxDIM||o|Zt5II1fBEyNRf9CM9KLy|9UJP1ofCBMi+APhGx6cSBFpBAzwIvTjSBfSIl8JCCiIHB8ID9Ii|APhExxIKIg|1BIjVYIRI1H30BIjYwkgRFIi+|Y6Hz9eiCNVkhq2iAQ3iHM8|DoZ+sgP0SLBo1XCD0goiC9WMYhiYQkgIMS3fbz8IsO1iBYiYwk2G0RAzCNIOgx6yBMi+9dOousKTJIi5z+FjJMiWQkOESNv2dsSTvsSIYgMHdMiVyAAYQk3IMR04aO4yHfIPCsE0iLb9Po5|wBMIqcczL3SI2EczJBgPMhv0mLzEQwGKACg7|pAXXzgbxzMiH|UmV4dUqLhCTd9B4xlCT48|ADwv9IO+hyNUE71P92MESNSUBJK0|UQbgAlACiIEDGIs|4dBdEtDC+MUiN+1NsjSBNK8TobO6AMEiLzqIgeEiFz|90FEyMMBcxSI3fTCRAugPz8P|XZ0iBxHAhXSQAAA==
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:2488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2488 -s 300
3⤵
- Program crash
PID:5100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
PID:4844

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4092

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1480

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4512

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:836

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3768

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:508

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3892

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1276

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:444

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 2488 -ip 2488
1⤵
PID:2856

C:\Users\Admin\AppData\Roaming\jwvirgb
C:\Users\Admin\AppData\Roaming\jwvirgb
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BE00.exe
Filesize
1.0MB

MD5
5626464b66d55a1d1054d774713ed3d2

SHA1
11cb3324ce60c045541bd1db25dd943d4a5fd11f

SHA256
1657c1b339990b41b61e53bce82ee43fdea10c9cfdc4820c8ab8de7efb7b5792

SHA512
dbbe2ec607e3b4bdb7ef05483c410bf3e4c40588acc7301a0a17a97ffbcbd046d80883a0b75208678762c99ae21380771b64f7f0c190c1f3dfea70e404dce273

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE00.exe
Filesize
1.0MB

MD5
5626464b66d55a1d1054d774713ed3d2

SHA1
11cb3324ce60c045541bd1db25dd943d4a5fd11f

SHA256
1657c1b339990b41b61e53bce82ee43fdea10c9cfdc4820c8ab8de7efb7b5792

SHA512
dbbe2ec607e3b4bdb7ef05483c410bf3e4c40588acc7301a0a17a97ffbcbd046d80883a0b75208678762c99ae21380771b64f7f0c190c1f3dfea70e404dce273

Download Submit
C:\Users\Admin\AppData\Roaming\jwvirgb
Filesize
401.9MB

MD5
800a60c9de653f119035b42984f47e01

SHA1
95d3c504865aa0c30bb24c4de3a3fc2880a8facc

SHA256
b566086aa3efcbfe88ec27884e365a671c02879166d2b3a5cde186b3d0f951c5

SHA512
0a35c622da1ea03a2021b6b98af9e3b0f48a236684a2e8a74accc1633b976d2fb927e196a763633c83af27a0f1b9e100a9ac5c94975ad410412d7035bab2ba8b

Download Submit
C:\Users\Admin\AppData\Roaming\jwvirgb
Filesize
401.9MB

MD5
800a60c9de653f119035b42984f47e01

SHA1
95d3c504865aa0c30bb24c4de3a3fc2880a8facc

SHA256
b566086aa3efcbfe88ec27884e365a671c02879166d2b3a5cde186b3d0f951c5

SHA512
0a35c622da1ea03a2021b6b98af9e3b0f48a236684a2e8a74accc1633b976d2fb927e196a763633c83af27a0f1b9e100a9ac5c94975ad410412d7035bab2ba8b

Download Submit
C:\Users\Admin\AppData\Roaming\nsis_unse58491a.dll
Filesize
58KB

MD5
664e46926466a2d4c9b87540f4853c39

SHA1
b172d1c2bde331770b0a944fcf6a9e2d75ded66b

SHA256
92a7c3296a561fb39798f821173e69d1feff44ff3a84caa4c6bb890945e79488

SHA512
1490ee65220c71a9f445df4b0f34d0c7bd3ece2e58253cfa3194d34e813843e0f71ea7bce0f0ae562a620334fdf3589262ca2f3209414936aa28a365db64ff03

Download Submit
C:\Users\Admin\AppData\Roaming\nsis_unse58491a.dll
Filesize
58KB

MD5
664e46926466a2d4c9b87540f4853c39

SHA1
b172d1c2bde331770b0a944fcf6a9e2d75ded66b

SHA256
92a7c3296a561fb39798f821173e69d1feff44ff3a84caa4c6bb890945e79488

SHA512
1490ee65220c71a9f445df4b0f34d0c7bd3ece2e58253cfa3194d34e813843e0f71ea7bce0f0ae562a620334fdf3589262ca2f3209414936aa28a365db64ff03

Download Submit
memory/444-174-0x00000000010A0000-0x00000000010AB000-memory.dmp

Filesize
44KB

Download
memory/444-184-0x00000000010B0000-0x00000000010B8000-memory.dmp

Filesize
32KB

Download
memory/444-173-0x00000000010B0000-0x00000000010B8000-memory.dmp

Filesize
32KB

Download
memory/444-165-0x0000000000000000-mapping.dmp

Download
memory/508-158-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/508-157-0x0000000000B00000-0x0000000000B06000-memory.dmp

Filesize
24KB

Download
memory/508-156-0x0000000000000000-mapping.dmp

Download
memory/836-150-0x0000000000000000-mapping.dmp

Download
memory/836-168-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download
memory/836-151-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download
memory/836-152-0x0000000000540000-0x000000000054F000-memory.dmp

Filesize
60KB

Download
memory/1276-163-0x0000000001280000-0x0000000001287000-memory.dmp

Filesize
28KB

Download
memory/1276-171-0x0000000001280000-0x0000000001287000-memory.dmp

Filesize
28KB

Download
memory/1276-164-0x0000000000FF0000-0x0000000000FFD000-memory.dmp

Filesize
52KB

Download
memory/1276-162-0x0000000000000000-mapping.dmp

Download
memory/1480-166-0x0000000000800000-0x0000000000804000-memory.dmp

Filesize
16KB

Download
memory/1480-143-0x0000000000000000-mapping.dmp

Download
memory/1480-146-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/1480-145-0x0000000000800000-0x0000000000804000-memory.dmp

Filesize
16KB

Download
memory/2100-133-0x0000000000400000-0x00000000009DB000-memory.dmp

Filesize
5.9MB

Download
memory/2100-134-0x0000000000400000-0x00000000009DB000-memory.dmp

Filesize
5.9MB

Download
memory/2100-132-0x0000000000400000-0x00000000009DB000-memory.dmp

Filesize
5.9MB

Download
memory/2488-185-0x00007FF4DC7A0000-0x00007FF4DC89A000-memory.dmp

Filesize
1000KB

Download
memory/2488-182-0x00007FF4DC7A0000-0x00007FF4DC89A000-memory.dmp

Filesize
1000KB

Download
memory/2488-186-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2488-187-0x00007FF4DC7A0000-0x00007FF4DC89A000-memory.dmp

Filesize
1000KB

Download
memory/2488-181-0x00000132DE960000-0x00000132DE967000-memory.dmp

Filesize
28KB

Download
memory/2488-176-0x0000000000000000-mapping.dmp

Download
memory/3768-155-0x00000000010A0000-0x00000000010A9000-memory.dmp

Filesize
36KB

Download
memory/3768-154-0x00000000010B0000-0x00000000010B5000-memory.dmp

Filesize
20KB

Download
memory/3768-153-0x0000000000000000-mapping.dmp

Download
memory/3768-169-0x00000000010B0000-0x00000000010B5000-memory.dmp

Filesize
20KB

Download
memory/3892-170-0x0000000000870000-0x0000000000876000-memory.dmp

Filesize
24KB

Download
memory/3892-161-0x0000000000860000-0x000000000086B000-memory.dmp

Filesize
44KB

Download
memory/3892-159-0x0000000000000000-mapping.dmp

Download
memory/3892-160-0x0000000000870000-0x0000000000876000-memory.dmp

Filesize
24KB

Download
memory/3904-192-0x0000000000400000-0x00000000009DB000-memory.dmp

Filesize
5.9MB

Download
memory/3904-191-0x0000000000400000-0x00000000009DB000-memory.dmp

Filesize
5.9MB

Download
memory/3904-190-0x0000000000400000-0x00000000009DB000-memory.dmp

Filesize
5.9MB

Download
memory/4092-142-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/4092-141-0x0000000000000000-mapping.dmp

Download
memory/4512-149-0x00000000004F0000-0x00000000004FB000-memory.dmp

Filesize
44KB

Download
memory/4512-148-0x0000000000500000-0x0000000000507000-memory.dmp

Filesize
28KB

Download
memory/4512-167-0x0000000000500000-0x0000000000507000-memory.dmp

Filesize
28KB

Download
memory/4512-147-0x0000000000000000-mapping.dmp

Download
memory/4656-135-0x0000000000000000-mapping.dmp

Download
memory/4656-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-175-0x0000000001360000-0x0000000001363000-memory.dmp

Filesize
12KB

Download
memory/4656-180-0x0000000002EE0000-0x0000000002EFD000-memory.dmp

Filesize
116KB

Download
memory/4656-179-0x0000000001361000-0x0000000001363000-memory.dmp

Filesize
8KB

Download
memory/4656-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-138-0x0000000000000000-mapping.dmp

Download
memory/4844-144-0x0000000000550000-0x00000000005BB000-memory.dmp

Filesize
428KB

Download
memory/4844-139-0x0000000000800000-0x0000000000875000-memory.dmp

Filesize
468KB

Download
memory/4844-140-0x0000000000550000-0x00000000005BB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads