cobaltstrike | bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c

General

Target

bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
Size

4.2MB
MD5

0d45a224e1bd75dc5573b8bb5ad028b5
SHA1

d1c78f3d46ae95140901f4e4d345d58d5bde876c
SHA256

bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c
SHA512

d6d83008c08158b50802ad737e59af4a9f4928e6e796ad3efd2967e99375c52f14e37b45fb93fac57f7d723ce5d8f21485f90e659cc0752f8e72c39e92664538
SSDEEP

98304:9s+t7z1QBri9v+04O2dB6wmwSyjov40BLauuOCc81VQLcMtKC:a+t7RQVi9okHWRaWufCRVQfj

Score

10^/10

cobaltstrike metasploit 305419896 backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://124.222.220.126:80/login.js

Attributes

headers User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://124.222.220.126:80/admin/login

Attributes

access_type
512
host
124.222.220.126,/admin/login
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
5000
port_number
80
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.82554112e+09
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/admin/user
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

seeyou.exe

pid process

1716 seeyou.exe

pid	process
1716	seeyou.exe

Loads dropped DLL 2 IoCs

Processes:

bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe

pid	process
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Public\Videos\seeyou.exe	upx
C:\Users\Public\Videos\seeyou.exe	upx
behavioral1/memory/2264-8819-0x0000000035390000-0x000000003558D000-memory.dmp	upx
behavioral1/memory/1716-8820-0x0000000000260000-0x000000000045D000-memory.dmp	upx
C:\Users\Public\Videos\seeyou.exe	upx
\Users\Public\Videos\seeyou.exe	upx
behavioral1/memory/1716-8833-0x0000000000260000-0x000000000045D000-memory.dmp	upx

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

seeyou.exe

description	ioc	process
File opened (read-only)	\??\S:	seeyou.exe
File opened (read-only)	\??\U:	seeyou.exe
File opened (read-only)	\??\V:	seeyou.exe
File opened (read-only)	\??\W:	seeyou.exe
File opened (read-only)	\??\Y:	seeyou.exe
File opened (read-only)	\??\L:	seeyou.exe
File opened (read-only)	\??\N:	seeyou.exe
File opened (read-only)	\??\H:	seeyou.exe
File opened (read-only)	\??\B:	seeyou.exe
File opened (read-only)	\??\G:	seeyou.exe
File opened (read-only)	\??\P:	seeyou.exe
File opened (read-only)	\??\T:	seeyou.exe
File opened (read-only)	\??\Z:	seeyou.exe
File opened (read-only)	\??\J:	seeyou.exe
File opened (read-only)	\??\K:	seeyou.exe
File opened (read-only)	\??\M:	seeyou.exe
File opened (read-only)	\??\O:	seeyou.exe
File opened (read-only)	\??\Q:	seeyou.exe
File opened (read-only)	\??\R:	seeyou.exe
File opened (read-only)	\??\X:	seeyou.exe
File opened (read-only)	\??\E:	seeyou.exe
File opened (read-only)	\??\I:	seeyou.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 29 IoCs

Processes:

bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe

pid	process
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1692 tasklist.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 5 Go-http-client/1.1

pid	process
1692	tasklist.exe

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

seeyou.exe

pid process

1716 seeyou.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe

pid process

2264 bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tasklist.exe

description pid process

Token: SeDebugPrivilege 1692 tasklist.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

668 DllHost.exe

pid	process
1716	seeyou.exe

description	pid	process
Token: SeDebugPrivilege	1692	tasklist.exe

pid	process
668	DllHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exeseeyou.exe

description	pid	process	target process
PID 2264 wrote to memory of 1656	2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe	cmd.exe
PID 2264 wrote to memory of 1656	2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe	cmd.exe
PID 2264 wrote to memory of 1656	2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe	cmd.exe
PID 2264 wrote to memory of 1656	2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe	cmd.exe
PID 2264 wrote to memory of 1716	2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe	seeyou.exe
PID 2264 wrote to memory of 1716	2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe	seeyou.exe
PID 2264 wrote to memory of 1716	2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe	seeyou.exe
PID 2264 wrote to memory of 1716	2264	bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe	seeyou.exe
PID 1716 wrote to memory of 1692	1716	seeyou.exe	tasklist.exe
PID 1716 wrote to memory of 1692	1716	seeyou.exe	tasklist.exe
PID 1716 wrote to memory of 1692	1716	seeyou.exe	tasklist.exe
PID 1716 wrote to memory of 1692	1716	seeyou.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe
"C:\Users\Admin\AppData\Local\Temp\bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd " /c " C:\Users\Admin\AppData\Local\Temp\awfgwaevs.jpg
2⤵
PID:1656

C:\Users\Public\Videos\seeyou.exe
C:\Users\Public\Videos\seeyou.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\awfgwaevs.jpg
Filesize
209KB

MD5
bda01c97ab5cf270a1b6119eb7189c32

SHA1
c5f9ec0cf43cd70a031123d081e723abaacf4ae8

SHA256
cea7d8628ba428406ea6c55328bd5728ce1d4e8473d6f0a133fb698a6fe6feea

SHA512
1b0a6cd6add432cbab29ade006e59113196e0e3a21deedee984c504b574d4323cd2b21b9d12f03590cf45409060494a8299ec7223fe96802514aebc16ec77a1a

Download Submit
C:\Users\Public\Videos\seeyou.exe
Filesize
942KB

MD5
ef78d3c0897005e14f90d071d792b2a9

SHA1
68181238c6f70c5b360141455fdbf4fb452449ef

SHA256
b3eab41f3c5834b165ff22e368b43e620070b55369377e5a967d16c1109799c4

SHA512
844b29ef3600e7ec9dc40c89cc7669138c5e13701d9507412b744b3f13cb54294a95c47dc5e417a9bda382c83471a04ab9d9cf882b9e91e7bb59df4ec5dac4b6

Download Submit
C:\Users\Public\Videos\seeyou.exe
Filesize
942KB

MD5
ef78d3c0897005e14f90d071d792b2a9

SHA1
68181238c6f70c5b360141455fdbf4fb452449ef

SHA256
b3eab41f3c5834b165ff22e368b43e620070b55369377e5a967d16c1109799c4

SHA512
844b29ef3600e7ec9dc40c89cc7669138c5e13701d9507412b744b3f13cb54294a95c47dc5e417a9bda382c83471a04ab9d9cf882b9e91e7bb59df4ec5dac4b6

Download Submit
\Users\Public\Videos\seeyou.exe
Filesize
942KB

MD5
ef78d3c0897005e14f90d071d792b2a9

SHA1
68181238c6f70c5b360141455fdbf4fb452449ef

SHA256
b3eab41f3c5834b165ff22e368b43e620070b55369377e5a967d16c1109799c4

SHA512
844b29ef3600e7ec9dc40c89cc7669138c5e13701d9507412b744b3f13cb54294a95c47dc5e417a9bda382c83471a04ab9d9cf882b9e91e7bb59df4ec5dac4b6

Download Submit
\Users\Public\Videos\seeyou.exe
Filesize
942KB

MD5
ef78d3c0897005e14f90d071d792b2a9

SHA1
68181238c6f70c5b360141455fdbf4fb452449ef

SHA256
b3eab41f3c5834b165ff22e368b43e620070b55369377e5a967d16c1109799c4

SHA512
844b29ef3600e7ec9dc40c89cc7669138c5e13701d9507412b744b3f13cb54294a95c47dc5e417a9bda382c83471a04ab9d9cf882b9e91e7bb59df4ec5dac4b6

Download Submit
memory/668-8804-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/668-8809-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1716-8833-0x0000000000260000-0x000000000045D000-memory.dmp

Filesize
2.0MB

Download
memory/1716-8829-0x0000000012400000-0x0000000013400000-memory.dmp

Filesize
16.0MB

Download
memory/1716-8820-0x0000000000260000-0x000000000045D000-memory.dmp

Filesize
2.0MB

Download
memory/2264-909-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-925-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-877-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-885-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-887-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-889-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-895-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-893-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-891-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-897-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-899-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-901-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-903-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-905-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-907-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-911-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-53-0x0000000000400000-0x0000000000C5F000-memory.dmp

Filesize
8.4MB

Download
memory/2264-913-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-917-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-915-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-919-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-921-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-923-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-881-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-2600-0x0000000000C60000-0x0000000000D60000-memory.dmp

Filesize
1024KB

Download
memory/2264-2601-0x00000000028F0000-0x0000000002A71000-memory.dmp

Filesize
1.5MB

Download
memory/2264-5301-0x0000000000C60000-0x0000000000D60000-memory.dmp

Filesize
1024KB

Download
memory/2264-8741-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-8748-0x0000000000400000-0x0000000000C5F000-memory.dmp

Filesize
8.4MB

Download
memory/2264-8751-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/2264-883-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-879-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-8807-0x00000000344B0000-0x00000000348B0000-memory.dmp

Filesize
4.0MB

Download
memory/2264-8808-0x0000000000400000-0x0000000000C5F000-memory.dmp

Filesize
8.4MB

Download
memory/2264-871-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-875-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-873-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-8819-0x0000000035390000-0x000000003558D000-memory.dmp

Filesize
2.0MB

Download
memory/2264-864-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-865-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-869-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-8821-0x0000000035390000-0x000000003558D000-memory.dmp

Filesize
2.0MB

Download
memory/2264-867-0x00000000026D0000-0x00000000027E1000-memory.dmp

Filesize
1.1MB

Download
memory/2264-8830-0x0000000035390000-0x000000003558D000-memory.dmp

Filesize
2.0MB

Download
memory/2264-54-0x0000000076C30000-0x0000000076C77000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads