neshta | beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224e

Analysis

max time kernel
16s
max time network
63s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/10/2024, 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
Size

1.2MB
MD5

b2f55eca44253a76de0172fd3e4f6cb0
SHA1

40a31939bd75bbe7064d04e77a62aae082f881cc
SHA256

beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224e
SHA512

fbcdefbe4f2c1a75814e1d06e6afb09488bb1467765122379df5ca053ec3e0f6e44023931547faaa2927a458dffdc2ab06f1c04e5375ad65b24e6508c3ef34d2
SSDEEP

24576:ioe9YJLnbCQM0rbOwG8ihLXciDZZls8H9xCcjUtFTgbP+9:x3b5FrbOTLXci9Zj9fUtFTD

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010319-10.dat	family_neshta
behavioral1/memory/2128-395-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2128-398-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 2 IoCs

pid	Process
2312	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
1316	SupportAssistInstaller.exe

Loads dropped DLL 3 IoCs

pid	Process
2128	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
2312	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
2128	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\801D62D07B449D5C5C035C98EA61FA443C2A58FE	SupportAssistInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\801D62D07B449D5C5C035C98EA61FA443C2A58FE\Blob = 0f0000000100000014000000f53631b5177626eb6541df5563c8187d9dca421a09000000010000005e000000305c06082b0601050507030306082b0601050507030106082b0601050507030206082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b06010505070308060a2b0601040182370a030453000000010000002400000030223020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c0b000000010000001000000045006e00740072007500730074000000030000000100000014000000801d62d07b449d5c5c035c98ea61fa443c2a58fe2000000001000000600400003082045c30820344a00302010202043863b966300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3139313232343138323035315a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3743072301106096086480186f8420101040403020007301f0603551d2304183016801455e481d11180bed889b908a331f9a1240916b970301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970301d06092a864886f67d0741000410300e1b0856352e303a342e3003020490300d06092a864886f70d010105050003820101005947ac21848a17c99c89531eba80851ac63c4e3eb19cb67cc6925d186402e3d3060811617c63e32b9d31037076d2a328a0f4bb9a6373ed6de52adbed14a92bc63611d02beb078ba5da9e5c199d5612f55429c805edb2122a8df4031bffe7921087b03ab5c39d053712a3c7f415b9d5a439169b533a2391f1a882a26a8868c1790222bcaaa6d6aedfb0145fb887d0dd7c7f7bffaf1ccfe6db07ad5edb859dd02b0d33db04d1e64940132b76fb3ee99c890f15ce18b08578214f6b4f0efa3667cd07f2ff08d0e2ded9bf2aafb88786213c04cab794687fcf3ce998d738ffecc0d950f02e4b58ae466fd02ec360da725572bd4c459e61babf84819203d1d2697cc5	SupportAssistInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\801D62D07B449D5C5C035C98EA61FA443C2A58FE\Blob = 19000000010000001000000091fad483f14848a8a69b18b805cdbb3a030000000100000014000000801d62d07b449d5c5c035c98ea61fa443c2a58fe0b000000010000001000000045006e007400720075007300740000001d0000000100000010000000e871723e266f38af5d49cda2a502669c14000000010000001400000055e481d11180bed889b908a331f9a1240916b97053000000010000002400000030223020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c009000000010000005e000000305c06082b0601050507030306082b0601050507030106082b0601050507030206082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b06010505070308060a2b0601040182370a03040f0000000100000014000000f53631b5177626eb6541df5563c8187d9dca421a2000000001000000600400003082045c30820344a00302010202043863b966300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3139313232343138323035315a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3743072301106096086480186f8420101040403020007301f0603551d2304183016801455e481d11180bed889b908a331f9a1240916b970301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970301d06092a864886f67d0741000410300e1b0856352e303a342e3003020490300d06092a864886f70d010105050003820101005947ac21848a17c99c89531eba80851ac63c4e3eb19cb67cc6925d186402e3d3060811617c63e32b9d31037076d2a328a0f4bb9a6373ed6de52adbed14a92bc63611d02beb078ba5da9e5c199d5612f55429c805edb2122a8df4031bffe7921087b03ab5c39d053712a3c7f415b9d5a439169b533a2391f1a882a26a8868c1790222bcaaa6d6aedfb0145fb887d0dd7c7f7bffaf1ccfe6db07ad5edb859dd02b0d33db04d1e64940132b76fb3ee99c890f15ce18b08578214f6b4f0efa3667cd07f2ff08d0e2ded9bf2aafb88786213c04cab794687fcf3ce998d738ffecc0d950f02e4b58ae466fd02ec360da725572bd4c459e61babf84819203d1d2697cc5	SupportAssistInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\801D62D07B449D5C5C035C98EA61FA443C2A58FE\Blob = 040000000100000010000000ba21ea20d6dddb8fc1578b40ada1fcfc0f0000000100000014000000f53631b5177626eb6541df5563c8187d9dca421a09000000010000005e000000305c06082b0601050507030306082b0601050507030106082b0601050507030206082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b06010505070308060a2b0601040182370a030453000000010000002400000030223020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c0b000000010000001000000045006e00740072007500730074000000030000000100000014000000801d62d07b449d5c5c035c98ea61fa443c2a58fe19000000010000001000000091fad483f14848a8a69b18b805cdbb3a2000000001000000600400003082045c30820344a00302010202043863b966300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3139313232343138323035315a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3743072301106096086480186f8420101040403020007301f0603551d2304183016801455e481d11180bed889b908a331f9a1240916b970301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970301d06092a864886f67d0741000410300e1b0856352e303a342e3003020490300d06092a864886f70d010105050003820101005947ac21848a17c99c89531eba80851ac63c4e3eb19cb67cc6925d186402e3d3060811617c63e32b9d31037076d2a328a0f4bb9a6373ed6de52adbed14a92bc63611d02beb078ba5da9e5c199d5612f55429c805edb2122a8df4031bffe7921087b03ab5c39d053712a3c7f415b9d5a439169b533a2391f1a882a26a8868c1790222bcaaa6d6aedfb0145fb887d0dd7c7f7bffaf1ccfe6db07ad5edb859dd02b0d33db04d1e64940132b76fb3ee99c890f15ce18b08578214f6b4f0efa3667cd07f2ff08d0e2ded9bf2aafb88786213c04cab794687fcf3ce998d738ffecc0d950f02e4b58ae466fd02ec360da725572bd4c459e61babf84819203d1d2697cc5	SupportAssistInstaller.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2312	2128	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	29
PID 2128 wrote to memory of 2312	2128	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	29
PID 2128 wrote to memory of 2312	2128	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	29
PID 2128 wrote to memory of 2312	2128	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	29
PID 2128 wrote to memory of 2312	2128	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	29
PID 2128 wrote to memory of 2312	2128	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	29
PID 2128 wrote to memory of 2312	2128	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	29
PID 2312 wrote to memory of 1316	2312	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	31
PID 2312 wrote to memory of 1316	2312	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	31
PID 2312 wrote to memory of 1316	2312	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	31
PID 2312 wrote to memory of 1316	2312	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	31

C:\Users\Admin\AppData\Local\Temp\beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
"C:\Users\Admin\AppData\Local\Temp\beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\3582-490\beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\SupportAssistInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\SupportAssistInstaller.exe" "esupport"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\Dell.SupportAssist.Client.FrameworkLogger.dll

Filesize
18KB

MD5
8fb21349b0fb5e5d7de8b921e25e10d0

SHA1
bee87220da3d9513de14e7d303120ccc09de8505

SHA256
b9fe3a919470f29464d4537e8a569bc9561b956a7b82976b23ffb9b4e22db13a

SHA512
58a1728350c10ea68d9849a2746ee6c2ec2e9beb959f090aa1ff222a24cb8c5cb7d1ad80aaede11b695c7fd866606e83d3fe2dfa50a13b06f5c05384f80a941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\Microsoft.Practices.Unity.dll

Filesize
143KB

MD5
27f24aed31d72c0a3214e54e4137fcf6

SHA1
93dab8c3392ab7eeb0062fc4224d57dde75b6794

SHA256
8355fd8ff475f1d032bc6667f185e25377e35644b5ffd2fe12c8e83705a03957

SHA512
16215965e7b317de67beae9c94a7187ff32b47e7a7ff1e38c2947769d53961defc9f8741d7e7e37ce74264c60e5c35df71065e36069776ffb3c71d3a064786c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\Newtonsoft.Json.dll

Filesize
688KB

MD5
0428dddbd43486d805f6f72d6539dafb

SHA1
43502e57b6c1542d452562a013a4a0952937e1ad

SHA256
ef80e07b7819d8a82bbb8efc4109618b51c7df5e3463cf04e3b332cfc3c01efc

SHA512
9b67272ae8739b25f0ec5d0572a834c5edab7a9ecc27b47de9a5998849a8c4712c61a841ec94e49dfe4cf98f73690ea6e9020e1c247af105d746c9147f79f879

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\Resource\SA4_Installer_BG_900x600.jpg

Filesize
113KB

MD5
305fd53cde696bc7603f21955dbe75f4

SHA1
f1400ac28e32270e4d981e4c4cf37ec47506f6b3

SHA256
8bd98eaa8f939d1c8e69d219982573bf8fdb9c62c25c71b7cf385ff41fc5b276

SHA512
b0032a438d29153e7e5f95409c0df36dd9a884961e7b41de42303ee5f577d009129f03dfc2bd1debf5ceffd7eb2499c45381faabc1109fbc442001cd8a1d0d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\Resource\en-US\Installer.json

Filesize
6KB

MD5
607d5d437d88863e793eb4f659a37981

SHA1
c7b2f6ab7c52a2c0e4a8c776f27af21e8a4f539a

SHA256
3d509e191b06487e56638d1dfc4ea5f540a833c695219ccd241e70fa0751baee

SHA512
d18c5f4934d9fc07f646ea25f02019224c600b63ea5170d234fd78a9e8805e37ba82a543111a3fa7d6c266c6669063620af93437757040a02cbf42f71ad87647

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\Resource\roboto-light.ttf

Filesize
123KB

MD5
46e48ce0628835f68a7369d0254e4283

SHA1
e321c183e2b75ee19813892b7bac8d7c411cb88a

SHA256
ee4352049603e5960550f55444ad720d8d4ce322c0dcba1afc77de78c430d0d5

SHA512
8ad21d9c1c0496de9d47a5f353e437de399e24e9f780ec9beef1963cb9ca4c657748eee2493d91d57f1be1393411303db7f21e4543696c9843ff0e570d2882d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\Resource\roboto-medium.ttf

Filesize
124KB

MD5
894a2ede85a483bf9bedefd4db45cdb9

SHA1
6060ca726b9760b76f7c347dce9d2fa1fe42ec92

SHA256
6e2ec5c5f89e4ce302bb93b46cb7cc336236501de17348e284878914c5e0e723

SHA512
cecce690b1066f3424ba3684cd4f7993746551d3642fda4f044090fe285ec2a73bfecde27f0df79824b99c42aa6b033a890b5174215748716d8ac4741a5d6a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\Resource\roboto-regular.ttf

Filesize
123KB

MD5
df7b648ce5356ea1ebce435b3459fd60

SHA1
824b5480c977a8166e177e5357d13164ccc45f47

SHA256
bde8a188e37aa936b167aecc5e5a3da40262f6e51fd54c584f2cf2b6b99d96ca

SHA512
d78cb378c0b5939fcba01c272616010e28c7878ef63944fc9bf48f2f0abec6f9c72c4f56ed9785194626fa6979ae3f4d7b43e924ef84686e6ff2b8058e5580a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\Resource\roboto-thin.ttf

Filesize
124KB

MD5
94998475f6aea65f558494802416c1cf

SHA1
173ed64528b4d010a76d8d38deb1d7e7eed58eda

SHA256
db1d464343bf795307bc90da83d65b93c841fb20f38662f92f1e5e2c5a1d2ec5

SHA512
51cba34e46887078ee3101bfe6f652451d67a73c2a6c0b05bf353e1cc358b36ba99f09a0ffdbb59bea491590e935ba2b0a65798e9b67e6a3a3b8491bc0463ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\Resource\spinner_blue.png

Filesize
1KB

MD5
0d264f346bcc8a340a413d5234285786

SHA1
95b8c10c89e07b0a41e189f9016b48dd60fd6f17

SHA256
41d3b9695455de5c7e58894ae854ce34e72b1d808a3c02ebb2fefe97e9533281

SHA512
16770c22b8205c00e75a4bd284580389d9cfb7486669a68e7a76c5eef3413b00d66685104113aac9e960c83db44d57f43bc292f141a22d9d6528acdf53e1ada8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\Styles\DellStyles.xaml

Filesize
2KB

MD5
e0e508eaa2aff8fc6790d34a404c58bd

SHA1
e21ffc5aafd34f51cb7e6328a8eb7591f381a968

SHA256
9f96fb69b50c735eb4d1c0dff55a804f69ea7212ba9dc0332ac10c42a0b7b2db

SHA512
ab9e91f6aef37e0f84e31d095d607d5bac18109fae8807966a7be9834c00de44e5896d47ae6cb687a4fa616160a2da7af386b492d5aa9bf60a61e64c5677168b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\SupportAssistInstaller.exe

Filesize
943KB

MD5
797402be3e790bb35dea470ef063b66f

SHA1
676e9b40372de05b176e6306e5929218ad6800bf

SHA256
68b204dde251c0331a1f1554d9e7b9c50390deeb0afd0ae37ec23e8cd658a2d3

SHA512
cd51f5150a40c8ba61d52f932591a80f897fdb30bc504c25517139055949b71a2ea1b26bdb95a6dc37914490b38c1459c61a1999fc6198db69fe2368a22c7209

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\SupportAssistInstaller.exe.config

Filesize
538B

MD5
e97ac84664026547fb344425a89c0edd

SHA1
6fd4dc83604a75e8c8057fb3008d044da91e16e1

SHA256
e93f8fbaece629c2d4621e7ca82ec57d1f05a746a06f45f8b41a43413885e518

SHA512
465a0ff55c6911cd6dcd1fc20b9d80ae45213994ddcc61b5dfbf0f84ec1994b87618d430952b41e7a242af44682cb38fb490d9a3a4f5fa23f4725e0daf410038

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\log4net.config

Filesize
813B

MD5
f6f8cd68eabfb8b7131d0d4de878272f

SHA1
ddc0655264cfee990bcd96b834bcf6b0e76de7f9

SHA256
087197e3b5820d8b79cad05db5331ecc114e701f273571e2b833e01472897ea5

SHA512
617b6227542b25e0c53cf36897018e524895676d07ddbf95550c18091aaa1af23aedf2fb969b2c752364867d03252c624a537ffa23523e5bd10850e81b426e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b564f21-0b7c-443a-a9ab-156aacfa2e95\log4net.dll

Filesize
274KB

MD5
8cc649cf5d9c869294f03297a131ed86

SHA1
5f1891ea1dea67e854991c6ab0a720b158ec42df

SHA256
8e5122fc22ad819e37591d2302ffc1d840483ad9a2bf9e342301f75c3baab2c7

SHA512
d39aa488f7560385e5617ff9c4ea1693c5672e4b6d82371051a2f3eb289287be29d34a3d2e1ea3362961f3d675082596a77405685e0eae3b746fcee58e884dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab82F7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar82FA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Filesize
1.2MB

MD5
84b087e870e3d3c6a2527df7cb09e17c

SHA1
cd960da3740cda1799cb072e1b90079415e46799

SHA256
acde4f1c50f0ff2d01c333dda68d894cc95d3e7526633b0f49456f587d0b1d17

SHA512
45bb754b4c788b7590c1e9086f0bc7adedb33f5daf411a88830f34688d47c28459ea174e81b8564016333aaff8214a90af6d5506896638a021031d9491e0e446

Download Submit
memory/1316-157-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/1316-377-0x000000001B850000-0x000000001B900000-memory.dmp

Filesize
704KB

Download
memory/1316-365-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/1316-366-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/1316-367-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/1316-368-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/1316-369-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/1316-370-0x0000000001180000-0x0000000001188000-memory.dmp

Filesize
32KB

Download
memory/1316-371-0x0000000001170000-0x0000000001178000-memory.dmp

Filesize
32KB

Download
memory/1316-363-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/1316-374-0x00000000011B0000-0x00000000011B8000-memory.dmp

Filesize
32KB

Download
memory/1316-161-0x0000000001120000-0x0000000001166000-memory.dmp

Filesize
280KB

Download
memory/1316-159-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/1316-364-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/1316-383-0x00000000011C0000-0x00000000011CA000-memory.dmp

Filesize
40KB

Download
memory/1316-382-0x00000000011C0000-0x00000000011CA000-memory.dmp

Filesize
40KB

Download
memory/1316-156-0x00000000001E0000-0x0000000000208000-memory.dmp

Filesize
160KB

Download
memory/1316-123-0x00000000011E0000-0x00000000012D0000-memory.dmp

Filesize
960KB

Download
memory/1316-121-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/1316-396-0x00000000011C0000-0x00000000011CA000-memory.dmp

Filesize
40KB

Download
memory/1316-394-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/2128-395-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2128-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2312-12-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/2312-392-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/2312-393-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-13-0x0000000000CF0000-0x0000000000E20000-memory.dmp

Filesize
1.2MB

Download
memory/2312-116-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads