cobaltstrike | 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03

General

Target

7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
Size

494KB
MD5

94b4eb33f72c5df6e7823407e12fa2b5
SHA1

e59fbee36c7604f2fbbb05a13aa2ef6fe2e0f56f
SHA256

7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03
SHA512

19539f69b0cbcc7c6be91f347d9289b19331f1def5606dc80600edf6b7d2923eefde62fd996614a22bbd56c8bb49293345d8f824f960220bdb91d56d539eb491
SSDEEP

12288:fzxzTDWikLSb4NS7/dc+tkUXY1AfOY7llq7KKIoYy:dDWHSb4NpnVYPq5Yy

Score

10^/10

cobaltstrike 0 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://85.175.101.203:80/access/

Attributes

access_type
512
host
85.175.101.203,/access/
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAAEAAAACBIb3N0OiBhdWRpby1zdjUtdDEtMy5wYW5kb3JhLmNvbQAAAAoAAABIQ29va2llOiAgX191dG1hPTIxMDA3NzYyMi4xNzMyNDM5OTk1LjE0MzMyMDE0NjIuMTQwMzIwNDM3Mi4xMzg1MjAyNDkzLjI7AAAACQAAAAl2ZXJzaW9uPTQAAAAJAAAADmxpZD0xNTgyNTAyNzI0AAAABwAAAAAAAAAIAAAABQAAAAV0b2tlbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFUhvc3Q6IHd3dy5wYW5kb3JhLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNTgyNTAyNzI0AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
1000
port_number
80
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
7.382016e+08
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/radio/xmlrpc/v35
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

3 1516 rundll32.exe
4 1516 rundll32.exe
5 1516 rundll32.exe
7 1516 rundll32.exe
8 1516 rundll32.exe
9 1516 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

Servis.exeUAC.exe

pid process

1588 Servis.exe
1532 UAC.exe

flow	pid	process
3	1516	rundll32.exe
4	1516	rundll32.exe
5	1516	rundll32.exe
7	1516	rundll32.exe
8	1516	rundll32.exe
9	1516	rundll32.exe

pid	process
1588	Servis.exe
1532	UAC.exe

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

UAC.exe

description pid process target process

PID 1532 set thread context of 1516 1532 UAC.exe rundll32.exe

description	pid	process	target process
PID 1532 set thread context of 1516	1532	UAC.exe	rundll32.exe

Drops file in Windows directory 7 IoCs

Processes:

7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\UAC.exe	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
File opened for modification	C:\Windows\UAC.exe	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
File opened for modification	C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_7079668	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
File created	C:\Windows\Servis.exe	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
File opened for modification	C:\Windows\Servis.exe	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B8A40C0-8CBE-4769-A793-D84374EEB9F1}\WpadDecisionTime = 5066325fe24fd901	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B8A40C0-8CBE-4769-A793-D84374EEB9F1}\WpadNetworkName = "Network 2"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B8A40C0-8CBE-4769-A793-D84374EEB9F1}\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B8A40C0-8CBE-4769-A793-D84374EEB9F1}\8a-ad-93-50-6a-67	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-ad-93-50-6a-67\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-ad-93-50-6a-67\WpadDecisionTime = 5066325fe24fd901	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B8A40C0-8CBE-4769-A793-D84374EEB9F1}	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B8A40C0-8CBE-4769-A793-D84374EEB9F1}\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-ad-93-50-6a-67	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-ad-93-50-6a-67\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00af000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exerundll32.exe

pid process

628 powershell.exe
1784 powershell.exe
1516 rundll32.exe
1516 rundll32.exe
1516 rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE

pid	process
628	powershell.exe
1784	powershell.exe
1516	rundll32.exe
1516	rundll32.exe
1516	rundll32.exe

pid	process
1240	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exepowershell.exepowershell.exe

description	pid	process
Token: SeSecurityPrivilege	1060	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
Token: SeRestorePrivilege	1060	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exeServis.execmd.exeUAC.exerundll32.exe

description	pid	process	target process
PID 1060 wrote to memory of 1588	1060	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe	Servis.exe
PID 1060 wrote to memory of 1588	1060	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe	Servis.exe
PID 1060 wrote to memory of 1588	1060	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe	Servis.exe
PID 1060 wrote to memory of 1588	1060	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe	Servis.exe
PID 1588 wrote to memory of 1268	1588	Servis.exe	cmd.exe
PID 1588 wrote to memory of 1268	1588	Servis.exe	cmd.exe
PID 1588 wrote to memory of 1268	1588	Servis.exe	cmd.exe
PID 1588 wrote to memory of 1268	1588	Servis.exe	cmd.exe
PID 1268 wrote to memory of 628	1268	cmd.exe	powershell.exe
PID 1268 wrote to memory of 628	1268	cmd.exe	powershell.exe
PID 1268 wrote to memory of 628	1268	cmd.exe	powershell.exe
PID 1268 wrote to memory of 1784	1268	cmd.exe	powershell.exe
PID 1268 wrote to memory of 1784	1268	cmd.exe	powershell.exe
PID 1268 wrote to memory of 1784	1268	cmd.exe	powershell.exe
PID 1532 wrote to memory of 1516	1532	UAC.exe	rundll32.exe
PID 1532 wrote to memory of 1516	1532	UAC.exe	rundll32.exe
PID 1532 wrote to memory of 1516	1532	UAC.exe	rundll32.exe
PID 1532 wrote to memory of 1516	1532	UAC.exe	rundll32.exe
PID 1532 wrote to memory of 1516	1532	UAC.exe	rundll32.exe
PID 1532 wrote to memory of 1516	1532	UAC.exe	rundll32.exe
PID 1532 wrote to memory of 1516	1532	UAC.exe	rundll32.exe
PID 1532 wrote to memory of 1516	1532	UAC.exe	rundll32.exe
PID 1516 wrote to memory of 1240	1516	rundll32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1240

C:\Users\Admin\AppData\Local\Temp\7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
"C:\Users\Admin\AppData\Local\Temp\7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\Servis.exe
"C:\Windows\Servis.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7FD.tmp\7FE.tmp\7FF.bat C:\Windows\Servis.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy bypass -command "New-Service -Name UAC -BinaryPathName C:\Windows\UAC.exe"
5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy bypass -command "Start-Service -Name UAC -PassThru"
5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\UAC.exe
C:\Windows\UAC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7FD.tmp\7FE.tmp\7FF.bat
Filesize
211B

MD5
ceb3c06960136b0e3ebadca62fdf415e

SHA1
8b67ec15381aad2453ad9f78f9ebd469de1a2925

SHA256
d821ecc0208b6fcb11311f7c0abc45f640da48c09a37051da3320676495d5b16

SHA512
9cf6ea5b486b33add21944225e6cc62fd2402628caf43d76ac3dfdb58ea4a3c965489de627c0c11d7a26065ae4d158ff687860ac0d3fe2dd5a502912100fb9d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
65c94bae794ec7119cc20e6a457c5b8a

SHA1
9c5758f3767f03319524db95611e106ac5922031

SHA256
fe476f1500c86ded41ebf0076233c22f2525f7cabde26c379eb42fc3aa3ee508

SHA512
3f8bfd111623c2c935e265359ec130127a7abd11927e4997c5dcc8978a4764aab4c46b73092e72862778b6dc7733f5a05846b9b94dfb1cbf170b112e22c6d866

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T9LCX3SK6PML2AR9Z0O4.temp
Filesize
7KB

MD5
65c94bae794ec7119cc20e6a457c5b8a

SHA1
9c5758f3767f03319524db95611e106ac5922031

SHA256
fe476f1500c86ded41ebf0076233c22f2525f7cabde26c379eb42fc3aa3ee508

SHA512
3f8bfd111623c2c935e265359ec130127a7abd11927e4997c5dcc8978a4764aab4c46b73092e72862778b6dc7733f5a05846b9b94dfb1cbf170b112e22c6d866

Download Submit
C:\Windows\Servis.exe
Filesize
87KB

MD5
461938519e0d15b209cf0da74d686e05

SHA1
f7a21d413eba8ee1b8c82546cb1d0396aea6dc73

SHA256
013f4ea44e1685269f940dced55d46485393c9a58160c79de69eed2f470ac82b

SHA512
33640f9d37838b9ecbe842623980eafe24c9fc58e0ab26ee87d97de2edaa709879f593bc383638ba0af1c0f9917bb1c0c1b09762e72f174dbbb39c51c7a51f1e

Download Submit
C:\Windows\Servis.exe
Filesize
87KB

MD5
461938519e0d15b209cf0da74d686e05

SHA1
f7a21d413eba8ee1b8c82546cb1d0396aea6dc73

SHA256
013f4ea44e1685269f940dced55d46485393c9a58160c79de69eed2f470ac82b

SHA512
33640f9d37838b9ecbe842623980eafe24c9fc58e0ab26ee87d97de2edaa709879f593bc383638ba0af1c0f9917bb1c0c1b09762e72f174dbbb39c51c7a51f1e

Download Submit
C:\Windows\UAC.exe
Filesize
282KB

MD5
d8c81b67c27140970e704edb6e0faf63

SHA1
43d91226c004d2b5538c4e057cd05eb9b52166be

SHA256
da68308adf531b3dc93d7443669bfe84650c6fea041e3fdb63b4703b1be1cc5b

SHA512
5ec9cb623987ae9ac524a5de02ae1ace0e3cc549cb134fa056d2c257dffafb51fb55c47fbdea29a6c9d215ea6b1b63baf6f3ebba81bc2118dac508d7c68d2268

Download Submit
memory/628-76-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/628-79-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/628-81-0x000000000264B000-0x0000000002682000-memory.dmp

Filesize
220KB

Download
memory/628-80-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/628-78-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/628-77-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/1240-101-0x0000000003910000-0x0000000003929000-memory.dmp

Filesize
100KB

Download
memory/1240-100-0x0000000002A50000-0x0000000002A65000-memory.dmp

Filesize
84KB

Download
memory/1240-99-0x0000000002A50000-0x0000000002A65000-memory.dmp

Filesize
84KB

Download
memory/1516-98-0x00000000001F0000-0x000000000022E000-memory.dmp

Filesize
248KB

Download
memory/1516-103-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1516-93-0x00000000000D0000-0x0000000000104000-memory.dmp

Filesize
208KB

Download
memory/1516-92-0x00000000000D0000-0x0000000000104000-memory.dmp

Filesize
208KB

Download
memory/1516-97-0x00000000001F0000-0x000000000022E000-memory.dmp

Filesize
248KB

Download
memory/1516-104-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1516-105-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1516-102-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1532-95-0x00000000011D0000-0x000000000121D000-memory.dmp

Filesize
308KB

Download
memory/1784-96-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/1784-87-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/1784-88-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1784-89-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/1784-90-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads