44caliber | 99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082

Resubmissions

01-07-2024 12:05

240701-n9bt2s1akf 10

01-07-2024 11:59

240701-n5w97atdqr 10

Analysis

max time kernel
249s
max time network
252s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 12:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

fix.exe
Size

35KB
MD5

83bbe29b99a54bad48074efb72ce1fcc
SHA1

421deeba13130a8eebacc8c7f48f28e6fe8485f2
SHA256

99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082
SHA512

67fe2ac907c297cd3c4d1af7f80257b468bc4e73cab428568ea1238d41cd8c43262765a0b0d43b2accb003901a66e9e7ec162fefda2fd89040697e1e168ac27f
SSDEEP

768:ChiLce92aOrsQiUy5FyS9ZL6LOjhibold:ChkceWsQi5FT9ZL6LOjGo7

Score

10^/10

44caliber xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

20.ip.gl.ply.gg:53765

Mutex

JCfj6Aifpywc6Ul9

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/1257280785476489217/L0UpV_ifGB55FAhZrd11A9RdK3XS9SxV4y_plmFbDZcUnmaJOTP9fgCIl4fpiKvDuv1o

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral5/memory/1092-1-0x00000000000A0000-0x00000000000B0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3760 powershell.exe
1768 powershell.exe
1348 powershell.exe
4196 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

rldyiv.exemrwigj.exeyyhbpp.exerlchdq.exe

pid process

1964 rldyiv.exe
924 mrwigj.exe
4116 yyhbpp.exe
3032 rlchdq.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1964	rldyiv.exe
924	mrwigj.exe
4116	yyhbpp.exe
3032	rlchdq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fix.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	fix.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
7 freegeoip.app
9 freegeoip.app
10 freegeoip.app
12 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
3	freegeoip.app
7	freegeoip.app
9	freegeoip.app
10	freegeoip.app
12	freegeoip.app

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "143"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exerldyiv.exemrwigj.exeyyhbpp.exerlchdq.exe

pid	process
3760	powershell.exe
3760	powershell.exe
1768	powershell.exe
1768	powershell.exe
1348	powershell.exe
1348	powershell.exe
4196	powershell.exe
4196	powershell.exe
1964	rldyiv.exe
1964	rldyiv.exe
1964	rldyiv.exe
924	mrwigj.exe
924	mrwigj.exe
924	mrwigj.exe
4116	yyhbpp.exe
4116	yyhbpp.exe
4116	yyhbpp.exe
3032	rlchdq.exe
3032	rlchdq.exe
3032	rlchdq.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

fix.exepowershell.exepowershell.exepowershell.exepowershell.exerldyiv.exemrwigj.exeyyhbpp.exerlchdq.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	1092	fix.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	1092	fix.exe
Token: SeDebugPrivilege	1964	rldyiv.exe
Token: SeDebugPrivilege	924	mrwigj.exe
Token: SeDebugPrivilege	4116	yyhbpp.exe
Token: SeDebugPrivilege	3032	rlchdq.exe
Token: SeShutdownPrivilege	3972	shutdown.exe
Token: SeRemoteShutdownPrivilege	3972	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4892 LogonUI.exe

pid	process
4892	LogonUI.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

fix.exe

description	pid	process	target process
PID 1092 wrote to memory of 3760	1092	fix.exe	powershell.exe
PID 1092 wrote to memory of 3760	1092	fix.exe	powershell.exe
PID 1092 wrote to memory of 1768	1092	fix.exe	powershell.exe
PID 1092 wrote to memory of 1768	1092	fix.exe	powershell.exe
PID 1092 wrote to memory of 1348	1092	fix.exe	powershell.exe
PID 1092 wrote to memory of 1348	1092	fix.exe	powershell.exe
PID 1092 wrote to memory of 4196	1092	fix.exe	powershell.exe
PID 1092 wrote to memory of 4196	1092	fix.exe	powershell.exe
PID 1092 wrote to memory of 1964	1092	fix.exe	rldyiv.exe
PID 1092 wrote to memory of 1964	1092	fix.exe	rldyiv.exe
PID 1092 wrote to memory of 924	1092	fix.exe	mrwigj.exe
PID 1092 wrote to memory of 924	1092	fix.exe	mrwigj.exe
PID 1092 wrote to memory of 4116	1092	fix.exe	yyhbpp.exe
PID 1092 wrote to memory of 4116	1092	fix.exe	yyhbpp.exe
PID 1092 wrote to memory of 3032	1092	fix.exe	rlchdq.exe
PID 1092 wrote to memory of 3032	1092	fix.exe	rlchdq.exe
PID 1092 wrote to memory of 3972	1092	fix.exe	shutdown.exe
PID 1092 wrote to memory of 3972	1092	fix.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\fix.exe
"C:\Users\Admin\AppData\Local\Temp\fix.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fix.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fix.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4196
- C:\Users\Admin\AppData\Local\Temp\rldyiv.exe
  "C:\Users\Admin\AppData\Local\Temp\rldyiv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\mrwigj.exe
  "C:\Users\Admin\AppData\Local\Temp\mrwigj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Users\Admin\AppData\Local\Temp\yyhbpp.exe
  "C:\Users\Admin\AppData\Local\Temp\yyhbpp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Users\Admin\AppData\Local\Temp\rlchdq.exe
  "C:\Users\Admin\AppData\Local\Temp\rlchdq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\SYSTEM32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3972

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a1a055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
315B

MD5
71227f862899452aa270d580a8b090c8

SHA1
13a6dc9506be2066777ec34acbe5ab62684c4929

SHA256
22e5316f3216208507c8ae67cbb2a90cfcf4389dae87f8f71c3388593eca57c1

SHA512
126c549e82d679bb9d3e229b09c3dded86b72aa5a98cb956a0d2a740ca43a4da14049134c3836c49ef50e76bb0a69fe158bb776a4c86a7e7b04893ced8ba5b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5ba388a6597d5e09191c2c88d2fdf598

SHA1
13516f8ec5a99298f6952438055c39330feae5d8

SHA256
e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca

SHA512
ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
687b3558d687becb30ad8f90997723cc

SHA1
fb326d7d105aba4d26e1764e73fd124cad23f298

SHA256
5283507c63132fdaf5d64bb0a09bcd6ae6d412a4df0be934268bf8e774207ece

SHA512
f827d61fad06764cefbca1688b8b2df7c07a1080be42f524de9765650382db84151ee90dd74b6568ea6f5bc582399695ec2c1c598256076f2dc91ff250450abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gurhgij5.2gi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rldyiv.exe

Filesize
303KB

MD5
89069c3d83c29f44929e8f73e5672643

SHA1
8d2808c427dc3a039de3ab0902c7454d46d2a4a4

SHA256
69c4efe455f5c826e1c9df05518546a282efd01513c5ac811a9399f74e494216

SHA512
c81dd0189efc4e92813f4e9f224c59a246e8bec8b19185cc0a43da909a5acead5378b6b126bece793cd3d17fc25cf2f8a29d2a74169557317cf57252716beb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1407.tmp.tmpdb

Filesize
5.0MB

MD5
0d2ca23431733e26358b8db704674561

SHA1
8b000c5e7224f6d526e1aedf04a925c53aa547f3

SHA256
01f35d0a7fec1753913c309dc22b25d0724be4e93c3e9e6d45f428f85741db6b

SHA512
1547f9b52ad8ba43b685a97e1e340c3bf2d107ce2d2b4b7d8111ef9986d6abb5bce9ede04200782661955bb1d740d4720e35309ebff5dce5b5a1e413b8e39690

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1418.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp141C.tmp.dat

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp142C.tmp.dat

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp142D.tmp.tmpdb

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDCCA.tmp.dat

Filesize
114KB

MD5
ea3bbda11253a0ddfa0bd6d750a7c9fc

SHA1
6b920bcafd8036b42657e50c84a1da2cea4d1307

SHA256
0a2bfcd7ad484f317f01b03ed4475015a2182137cb3daf7cd5717a9f8d081f89

SHA512
d885aeb00d919689b020bbf541d548578fa415150c2a7a160603a7d397bdb4238fa518eb076bdbbc3401325e517334a5da361e894939954d9bc29560d5d13268

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDCDD.tmp.dat

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
memory/1092-51-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/1092-1-0x00000000000A0000-0x00000000000B0000-memory.dmp

Filesize
64KB

Download
memory/1092-53-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/1092-52-0x00007FFA7DA33000-0x00007FFA7DA35000-memory.dmp

Filesize
8KB

Download
memory/1092-0-0x00007FFA7DA33000-0x00007FFA7DA35000-memory.dmp

Filesize
8KB

Download
memory/1092-231-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/1092-54-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/1964-66-0x000001AA97810000-0x000001AA97862000-memory.dmp

Filesize
328KB

Download
memory/3760-15-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3760-13-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3760-12-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3760-11-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3760-10-0x000001DDECB60000-0x000001DDECB82000-memory.dmp

Filesize
136KB

Download
memory/3760-14-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3760-18-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads