4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

General

Target

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Size

1.1MB
MD5

7560516355efa446658667a180977c11
SHA1

19cf36775b246599d9ae7fcd9b92f137a0d1c2bf
SHA256

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc
SHA512

61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395
SSDEEP

24576:S2TqSc+qNUwI7VV3iQPhFt4EKqZGy8uux/vJQrg1neCEsitbBQv:SiqSc+afwn3iQ7Cl6uZJQk1neMinq

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe:*:Enabled:Windows Messages Controler"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe = "c:\\windows\\sms.exe:*:Enabled:Windows Messages Controler"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

Executes dropped EXE 3 IoCs

Processes:

sms.exesms.exesms.exe

pid process

1492 sms.exe
1544 sms.exe
1816 sms.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

672 netsh.exe
1380 netsh.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1492	sms.exe
1544	sms.exe
1816	sms.exe

pid	process
672	netsh.exe
1380	netsh.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messages Controler = "c:\\windows\\sms.exe"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Messages Controler = "c:\\windows\\sms.exe"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exesms.exesms.exe

description	pid	process	target process
PID 1888 set thread context of 1792	1888	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1792 set thread context of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 936 set thread context of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1492 set thread context of 1544	1492	sms.exe	sms.exe
PID 1544 set thread context of 1816	1544	sms.exe	sms.exe

Drops file in Windows directory 3 IoCs

Processes:

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exesms.exe

description	ioc	process
File created	\??\c:\windows\sms.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
File opened for modification	\??\c:\windows\sms.exe	sms.exe
File opened for modification	\??\c:\windows\sms.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

sms.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "fbdirecto.net/1/"	sms.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

sms.exe

pid process

1816 sms.exe

pid	process
1816	sms.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exesms.exesms.exesms.exe

description	pid	process	target process
PID 1888 wrote to memory of 1792	1888	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1888 wrote to memory of 1792	1888	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1888 wrote to memory of 1792	1888	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1888 wrote to memory of 1792	1888	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1180 wrote to memory of 672	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	netsh.exe
PID 1180 wrote to memory of 672	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	netsh.exe
PID 1180 wrote to memory of 672	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	netsh.exe
PID 1180 wrote to memory of 672	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	netsh.exe
PID 1180 wrote to memory of 1492	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	sms.exe
PID 1180 wrote to memory of 1492	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	sms.exe
PID 1180 wrote to memory of 1492	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	sms.exe
PID 1180 wrote to memory of 1492	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	sms.exe
PID 1492 wrote to memory of 1544	1492	sms.exe	sms.exe
PID 1492 wrote to memory of 1544	1492	sms.exe	sms.exe
PID 1492 wrote to memory of 1544	1492	sms.exe	sms.exe
PID 1492 wrote to memory of 1544	1492	sms.exe	sms.exe
PID 1492 wrote to memory of 1544	1492	sms.exe	sms.exe
PID 1492 wrote to memory of 1544	1492	sms.exe	sms.exe
PID 1492 wrote to memory of 1544	1492	sms.exe	sms.exe
PID 1492 wrote to memory of 1544	1492	sms.exe	sms.exe
PID 1492 wrote to memory of 1544	1492	sms.exe	sms.exe
PID 1492 wrote to memory of 1544	1492	sms.exe	sms.exe
PID 1492 wrote to memory of 1544	1492	sms.exe	sms.exe
PID 1544 wrote to memory of 1816	1544	sms.exe	sms.exe
PID 1544 wrote to memory of 1816	1544	sms.exe	sms.exe
PID 1544 wrote to memory of 1816	1544	sms.exe	sms.exe
PID 1544 wrote to memory of 1816	1544	sms.exe	sms.exe
PID 1544 wrote to memory of 1816	1544	sms.exe	sms.exe
PID 1544 wrote to memory of 1816	1544	sms.exe	sms.exe
PID 1544 wrote to memory of 1816	1544	sms.exe	sms.exe
PID 1544 wrote to memory of 1816	1544	sms.exe	sms.exe
PID 1544 wrote to memory of 1816	1544	sms.exe	sms.exe
PID 1816 wrote to memory of 1380	1816	sms.exe	netsh.exe
PID 1816 wrote to memory of 1380	1816	sms.exe	netsh.exe
PID 1816 wrote to memory of 1380	1816	sms.exe	netsh.exe
PID 1816 wrote to memory of 1380	1816	sms.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
"C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
"C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
"C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
"C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
4⤵
- Modifies firewall policy service
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram 1.exe 1 ENABLE
5⤵
- Modifies Windows Firewall
PID:672

\??\c:\windows\sms.exe
"c:\windows\sms.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492

\??\c:\windows\sms.exe
"c:\windows\sms.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544

\??\c:\windows\sms.exe
"c:\windows\sms.exe"
7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram 1.exe 1 ENABLE
8⤵
- Modifies Windows Firewall
PID:1380

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\sms.exe
Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
C:\Windows\sms.exe
Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
C:\Windows\sms.exe
Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
\??\c:\windows\sms.exe
Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
memory/672-83-0x0000000000000000-mapping.dmp

Download
memory/936-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-64-0x0000000000401110-mapping.dmp

Download
memory/936-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-66-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/936-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1180-76-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-69-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-80-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-82-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-77-0x0000000000407826-mapping.dmp

Download
memory/1180-70-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-74-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-86-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-72-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1380-117-0x0000000000000000-mapping.dmp

Download
memory/1492-84-0x0000000000000000-mapping.dmp

Download
memory/1544-98-0x0000000000401110-mapping.dmp

Download
memory/1544-113-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1792-54-0x000000000015212E-mapping.dmp

Download
memory/1816-111-0x0000000000407826-mapping.dmp

Download
memory/1816-119-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1816-120-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads