mimic | 8ab1902c6106ed17855179053bab0b34fbbbbda8fd0a21d0f42f919db12d09f0

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
Size

2.2MB
MD5

22ad737f258a118843efa7f83ff8466e
SHA1

4a532fa9ff30909e0bca7b574eabe7623fad84ae
SHA256

a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e
SHA512

d11d20814dcce8d7edf05c6d8d8bc6ca64dc5da1da23e1c4cb2165734ff358d45b0fcaa93dcf6296b721b47491143aaa2d6270c6a7de783fd79686171dae8788
SSDEEP

49152:Qifu1DBgutBPNcpwcjVpNMkCZZpsYpmwZ3hQ8cTEoDgwRO:QvguPP4wc3NMkCGGmugTEKgwRO

Score

10^/10

mimic neshta discovery persistence ransomware spyware stealer

Malware Config

Signatures

Detect Neshta payload 40 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b7d-25.dat	family_neshta
behavioral2/files/0x0006000000020220-38.dat	family_neshta
behavioral2/files/0x0007000000020288-37.dat	family_neshta
behavioral2/files/0x000400000002034d-33.dat	family_neshta
behavioral2/files/0x0002000000020317-54.dat	family_neshta
behavioral2/files/0x00010000000214e4-64.dat	family_neshta
behavioral2/files/0x00010000000214e3-62.dat	family_neshta
behavioral2/files/0x0001000000022f80-74.dat	family_neshta
behavioral2/files/0x0001000000016857-82.dat	family_neshta
behavioral2/files/0x000100000001dbd2-97.dat	family_neshta
behavioral2/files/0x000100000001691b-103.dat	family_neshta
behavioral2/files/0x0001000000016916-114.dat	family_neshta
behavioral2/files/0x0001000000022e80-118.dat	family_neshta
behavioral2/files/0x00020000000215d7-120.dat	family_neshta
behavioral2/files/0x0002000000000729-119.dat	family_neshta
behavioral2/files/0x0001000000022e7c-117.dat	family_neshta
behavioral2/files/0x0001000000016972-115.dat	family_neshta
behavioral2/files/0x0001000000016924-112.dat	family_neshta
behavioral2/files/0x0001000000016919-116.dat	family_neshta
behavioral2/files/0x0001000000022746-135.dat	family_neshta
behavioral2/files/0x000100000002273e-134.dat	family_neshta
behavioral2/files/0x000200000002276d-138.dat	family_neshta
behavioral2/files/0x000500000001e288-139.dat	family_neshta
behavioral2/files/0x000400000001e6c0-142.dat	family_neshta
behavioral2/files/0x000a00000001e7fa-152.dat	family_neshta
behavioral2/files/0x000b00000001ee01-151.dat	family_neshta
behavioral2/files/0x000500000001e8be-150.dat	family_neshta
behavioral2/files/0x000b00000001e600-149.dat	family_neshta
behavioral2/files/0x000e00000001f3c1-148.dat	family_neshta
behavioral2/files/0x000300000001e8c5-141.dat	family_neshta
behavioral2/files/0x000300000001e86f-140.dat	family_neshta
behavioral2/memory/2708-153-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/116-154-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2708-155-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/116-156-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2708-157-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/116-158-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/116-162-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2708-163-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2372-173-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detects Mimic ransomware 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b9d-183.dat	family_mimic

Mimic
Ransomware family was first exploited in the wild in 2022.
ransomware mimic
Mimic family
mimic
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe

Executes dropped EXE 5 IoCs

pid	Process
380	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
116	svchost.com
2968	7za.exe
2372	svchost.com
4072	7za.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2968	7za.exe
Token: 35	2968	7za.exe
Token: SeRestorePrivilege	4072	7za.exe
Token: 35	4072	7za.exe
Token: SeSecurityPrivilege	4072	7za.exe
Token: SeSecurityPrivilege	4072	7za.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 380	2708	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe	83
PID 2708 wrote to memory of 380	2708	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe	83
PID 2708 wrote to memory of 380	2708	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe	83
PID 380 wrote to memory of 116	380	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe	84
PID 380 wrote to memory of 116	380	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe	84
PID 380 wrote to memory of 116	380	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe	84
PID 116 wrote to memory of 2968	116	svchost.com	85
PID 116 wrote to memory of 2968	116	svchost.com	85
PID 116 wrote to memory of 2968	116	svchost.com	85
PID 380 wrote to memory of 2372	380	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe	99
PID 380 wrote to memory of 2372	380	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe	99
PID 380 wrote to memory of 2372	380	a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe	99
PID 2372 wrote to memory of 4072	2372	svchost.com	100
PID 2372 wrote to memory of 4072	2372	svchost.com	100
PID 2372 wrote to memory of 4072	2372	svchost.com	100

C:\Users\Admin\AppData\Local\Temp\a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
"C:\Users\Admin\AppData\Local\Temp\a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\3582-490\a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe i
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2968
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p89905472210203597 Everything64.dll
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe x -y -p89905472210203597 Everything64.dll
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
454KB

MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
366KB

MD5
814434ae16b63ef396afefd41b22206a

SHA1
7aa89a223d9ed97136077aff6d4a08fa80328f3b

SHA256
92b21fd8f563efb9f693defce3107fe3e55e462561a852a5409aadcca703e9f1

SHA512
b35afc631fdf31e6e81d85c028e19af6b39bf88a908eb5e2d511900b4a303e4c6d4eab99793b3549d3bc70aaadf0da0926f55e35f0a3bd466b871ca61d8847ca

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
d9a290f7aec8aff3591c189b3cf8610a

SHA1
7558d29fb32018897c25e0ac1c86084116f1956c

SHA256
41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea

SHA512
b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE

Filesize
139KB

MD5
1e09e65111ab34cb84f7855d3cddc680

SHA1
f9f852104b46d99cc7f57a6f40d5db2090be04c0

SHA256
8f5c7c8e0258a5caa37637b2fa36f3bd87569a97b5c1ecf40dab50e7255fcf9c

SHA512
003176cb9dd7668b1b40e4d60d86d57c1a9ec4d873382aab781b31c8c89f0e388f3d406963f159412e2828d0be9f6daea146a252d8ee47281dda01123c9e7ace

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE

Filesize
1.7MB

MD5
4754ef85cf5992c484e75c0859cd0c12

SHA1
199b550e52f74d5a9932b1210979bc79a9b8f6fd

SHA256
da6de758d909ff5b7fb150a4a6a6b9774951aa2bd7c93966ea8951647386c330

SHA512
22c557807b81aac91c65643abb73f212d13f7c4504b6bb14e82bd9cf91319f2daadafa67425d91fa95f1d39c3700684f928e7d68468cb192c4c0be71b9f9b5ab

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE

Filesize
244KB

MD5
da18586b25e72ff40c0f24da690a2edc

SHA1
27a388f3cdcfa7357f971b5c4411ea5aa1b9e5f5

SHA256
67f6e8f14bcf0e6d570c1f4ac5a1bb80a4e1470b5bad5a7ee85689c476597d8e

SHA512
3512820a9d37b61f77a79b2d4d3f6aec9ef53dbf81071bee16f5dcc8173393a1cd1bffe9f7f39467b72f9c9271a78e42078e68598934188d9df0b887f2edc5ab

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE

Filesize
317KB

MD5
7e116dae10827703962b7314c99238ca

SHA1
3244df55057e3e590982652ba721565145aec09e

SHA256
77fd9e44a46878853cbb67d49154363fb41199f93b5aa77cd6012a63b1231831

SHA512
f3a4283ba3690e223379ba7a2d1737933d6b95e88a3a2db75594de105b6edef72f92de07f220e81a4e7d03656bf41f05eef7488206aee0b0c08abcc45746ced3

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
290KB

MD5
23b1708cd5e7409832fe36f125844e7a

SHA1
39ec7d4322cf4ccea82ee65343d05459c5eb3f3e

SHA256
03e0297166fcd0b5a439d974080fbd5efbb48dfe3b019ab11faa89ecc372765f

SHA512
d6291f0a98f1dfedd81589f07d219df23a9e734680975d5e2d91553767927bd2b7ed915e6f5974767277fb813e14f8549caf57f96912ea3cebe28b73ca3ec62e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
3.6MB

MD5
c0ac85794f04cb1648989075e6dfa55c

SHA1
c4e2ae9b72b40cd2eca4a178400c3832ad1df89e

SHA256
a62f88cb577ffe115d6b712dc4c559d5b9852f055ebbab092fda223b5e0dd046

SHA512
ef2f2a9b04e20a0dc7f5f088119d0f6e32801948e11f7f7a05e1e80c0e4313b6faa2527e4e8f15f878219e593ee0afc8350ade9094beae4a0c1f5107e2cf6a15

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

Filesize
1.1MB

MD5
5c78384d8eb1f6cb8cb23d515cfe7c98

SHA1
b732ab6c3fbf2ded8a4d6c8962554d119f59082e

SHA256
9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564

SHA512
99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
274KB

MD5
d84f63a0bf5eff0c8c491f69b81d1a36

SHA1
17c7d7ae90e571e99f1b1685872f91c04ee76e85

SHA256
06d363997722b0e3c4787f72ca61cb2a8ad59ea7ba8a9d14eafa8a8a550687a2

SHA512
865aab84cfe40604ffd013d8517a538eb1322b90372d236821c0e39e285a20bdad755ddff8d59d8af47a9b10b6c77947abc9148761e75892c617db8503b0ef6e

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
141KB

MD5
3cfd732cd6a3399c411739a8b75b5ae2

SHA1
242b02177cbec61819c11c35c903a2994e83ae10

SHA256
e90c627265bc799db00828179a5d76717a577086755043ba223a9ac78510a2ff

SHA512
b7b61c5f9dab2c6a4e5157a934db5bb26727418698fa44f05fbb9af38cd93dee0261f3f28700bc5cb21e8947a542c3ee6166375ea262c19d41e84c68b0d0fc72

Download Submit
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe

Filesize
494KB

MD5
05bdfd8a3128ab14d96818f43ebe9c0e

SHA1
495cbbd020391e05d11c52aa23bdae7b89532eb7

SHA256
7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

SHA512
8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

Download Submit
C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
536KB

MD5
31685b921fcd439185495e2bdc8c5ebf

SHA1
5d171dd1f2fc2ad55bde2e3c16a58abff07ae636

SHA256
4798142637154af13e3ed0e0b508459cf71d2dc1ae2f80f8439d14975617e05c

SHA512
04a414a89e02f9541b0728c82c38f0c64af1e95074f00699a48c82a5e99f4a6488fd7914ff1fa7a5bf383ce85d2dceab7f686d4ee5344ab36e7b9f13ceec9e7f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{63880~1\WINDOW~1.EXE

Filesize
650KB

MD5
558fdb0b9f097118b0c928bb6062370a

SHA1
ad971a9a4cac3112a494a167e1b7736dcd6718b3

SHA256
90cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924

SHA512
5d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXE

Filesize
650KB

MD5
2f826daacb184077b67aad3fe30e3413

SHA1
981d415fe70414aaac3a11024e65ae2e949aced8

SHA256
a6180f0aa9c56c32e71fe8dc150131177e4036a5a2111d0f3ec3c341fd813222

SHA512
2a6d9bdf4b7be9b766008e522cbb2c21921ba55d84dfde653ca977f70639e342a9d5548768de29ae2a85031c11dac2ae4b3c76b9136c020a6e7c9a9a5879caeb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF5AF~1\WINDOW~1.EXE

Filesize
650KB

MD5
72d0addae57f28c993b319bfafa190ac

SHA1
8082ad7a004a399f0edbf447425f6a0f6c772ff3

SHA256
671be498af4e13872784eeae4bae2e462dfac62d51d7057b2b3bebff511b7d18

SHA512
98bcde1133edbff713aa43b944dceb5dae20a9cbdf8009f5b758da20ccfbcdf6d617f609a7094aa52a514373f6695b0fd43c3d601538483816cd08832edd15ab

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
536KB

MD5
3e8de969e12cd5e6292489a12a9834b6

SHA1
285b89585a09ead4affa32ecaaa842bc51d53ad5

SHA256
7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf

SHA512
b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE

Filesize
499KB

MD5
346d2ff654d6257364a7c32b1ec53c09

SHA1
224301c0f56a870f20383c45801ec16d01dc48d1

SHA256
a811042693bc2b31be7e3f454b12312f67bc97f2b15335a97e8d8f2ba0a6b255

SHA512
223545e3fc9f3cd66c5cbcb50dd7103743788f03a9db398da6dd2744ccaeee291f385ce4f2758d4504fc0f6b968fabbfe16ba03b5f546b743c51dacad7a049c3

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE

Filesize
293KB

MD5
f3228c24035b3f54f78bb4fd11c36aeb

SHA1
2fe73d1f64575bc4abf1d47a9dddfe7e2d9c9cbb

SHA256
d2767c9c52835f19f6695c604081bf03cdd772a3731cd2e320d9db5e477d8af7

SHA512
b526c63338d9167060bc40ffa1d13a8c2e871f46680cd4a0efc2333d9f15bf21ae75af45f8932de857678c5bf785011a28862ce7879f4bffdb9753c8bc2c19b5

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE

Filesize
2.4MB

MD5
1319acbba64ecbcd5e3f16fc3acd693c

SHA1
f5d64f97194846bd0564d20ee290d35dd3df40b0

SHA256
8c6f9493c2045bb7c08630cf3709a63e221001f04289b311efb259de3eb76bce

SHA512
abbbb0abfff1698e2d3c4d27d84421b90abba1238b45884b82ace20d11ddfdd92bf206519fc01714235fb840258bb1c647c544b9a19d36f155bf3224916805b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a948d5a671ce86b84f514772a178e4526939b86331b207de201304686307e66e.exe

Filesize
2.2MB

MD5
801c430414f434df6fc24a9891b3b118

SHA1
27301b1a6c2078f4eec06ec6f1f947f22a1598fc

SHA256
2423f6e4b6f015042c4de4a4ad457629b7c4737ec19352abac9dd6136ba46d68

SHA512
e2c5e42a09c235d89ceb298ed27815c5b922e547568111ae916032f5cb85d89b197080d6641cf697f2fa18e11aebe66bef1669dc2155e9a89bfeb5e05eff1c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe

Filesize
772KB

MD5
b93eb0a48c91a53bda6a1a074a4b431e

SHA1
ac693a14c697b1a8ee80318e260e817b8ee2aa86

SHA256
ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

SHA512
732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]

Filesize
2.3MB

MD5
6775b0b2cdd7cd537f132f77b73144b0

SHA1
a1bfc2ea21424a20431d0ac527916c7463eabb65

SHA256
4d5a5a19280efcff80150219ab749ca08c692e876b3a9f6a71c1af63b971f47f

SHA512
b1bea613fdb9c3d049243f82cb7370ac0c62eed38e6eec3d3312ca3f7e4cfc12283f244ea1eafafa123927b41cc9667603a55058991e8a23e8a4df151de65749

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini

Filesize
548B

MD5
742c2400f2de964d0cce4a8dabadd708

SHA1
c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

SHA256
2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

SHA512
63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini

Filesize
550B

MD5
51014c0c06acdd80f9ae4469e7d30a9e

SHA1
204e6a57c44242fad874377851b13099dfe60176

SHA256
89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

SHA512
79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll

Filesize
1.2MB

MD5
3983d31b7a906d3351ef223ab4ffaa0a

SHA1
65b317231fbe779516558261b4b0f3e839e7e946

SHA256
db3ba29eb00805d400c41be842b176a24c2a14efffb9a78ed34e630749bf31c1

SHA512
5231b5b31aa9702aef52fcde8ce384477ff4ff1a7cc9f9a634035aaa2d328e0eaf991228b71b5e0c51ecf737b95c6a6a937808d22a4ca64432a2c74fbd9f4595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe

Filesize
350KB

MD5
803df907d936e08fbbd06020c411be93

SHA1
4aa4b498ae037a2b0479659374a5c3af5f6b8d97

SHA256
e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

SHA512
5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
77f8b77d94b3c227ef1812bec56e1b15

SHA1
c17e57035e912952f410c0b4ff1419fe73218b29

SHA256
eb95d47507d28b6c762de0825a563d7b004d16e4ea6de222ff41a7e466e1a8b4

SHA512
49d9892f4d82a37b5546f4eb1ca3a23a79cfdbb5c59e00ec3bfe2c1064f672b6ed147ac776d1be76d010800ee730c00649e1e9a2cd5df409700ed0789b5bd34f

Download Submit
C:\Windows\directx.sys

Filesize
55B

MD5
46bc0aeaa9047291ac2842d4a67418a6

SHA1
25991aecd5292a2ef58da7ec7335a7216ae1e15f

SHA256
e3ee98d23efd940c86489c855abc5882850a9ba29ec5aa50423f3b6cc38f36e9

SHA512
f0b3ab4b7466c747c6f2d7e57cff68f919610d1fbc5fc89f7890689761b8a015c77d6b69846ea8c1e2b578a84d668d6e00d466744f421f754c7212da35ed089d

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/116-162-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/116-158-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/116-156-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/116-154-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2372-173-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-163-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-157-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-155-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-153-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads