af18c1e923667ab287cd2699203e0bb6e6030dee131299ea670bc842dec76745

General

Target

0f65b4fa711b40e3c89a81fa69d8690f.exe
Size

16KB
MD5

0f65b4fa711b40e3c89a81fa69d8690f
SHA1

19240a26f205be2f8b4f4e00583a987e184f2875
SHA256

af18c1e923667ab287cd2699203e0bb6e6030dee131299ea670bc842dec76745
SHA512

82a3f01024ebf9c56c6f77d4c51003d3892e6da40a0efea34e08ddcca6786f3e3e7b6e2b18a95bf407c723a770f71e94eb90f68fb18726513a0dbac35b7e8f52

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

tmp9754tmp.exetmp9754tmp.exe

pid process

1504 tmp9754tmp.exe
2148 tmp9754tmp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3172-137-0x0000000000400000-0x0000000000A16000-memory.dmp	upx
behavioral2/memory/3172-138-0x0000000000400000-0x0000000000A16000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url	wscript.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

tmp9754tmp.exetmp9754tmp.exe

description	pid	process	target process
PID 1504 set thread context of 2148	1504	tmp9754tmp.exe	tmp9754tmp.exe
PID 2148 set thread context of 3172	2148	tmp9754tmp.exe	notepad.exe
PID 2148 set thread context of 2288	2148	tmp9754tmp.exe	notepad.exe
PID 2148 set thread context of 2716	2148	tmp9754tmp.exe	notepad.exe
PID 2148 set thread context of 4092	2148	tmp9754tmp.exe	notepad.exe
PID 2148 set thread context of 3516	2148	tmp9754tmp.exe	notepad.exe
PID 2148 set thread context of 3960	2148	tmp9754tmp.exe	notepad.exe
PID 2148 set thread context of 916	2148	tmp9754tmp.exe	notepad.exe
PID 2148 set thread context of 796	2148	tmp9754tmp.exe	notepad.exe
PID 2148 set thread context of 592	2148	tmp9754tmp.exe	notepad.exe
PID 2148 set thread context of 2172	2148	tmp9754tmp.exe	notepad.exe
PID 2148 set thread context of 2288	2148	tmp9754tmp.exe	notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
796	3172	WerFault.exe	notepad.exe
2672	2288	WerFault.exe	notepad.exe
2968	2716	WerFault.exe	notepad.exe
2300	4092	WerFault.exe	notepad.exe
4008	3516	WerFault.exe	notepad.exe
2220	3960	WerFault.exe	notepad.exe
2244	916	WerFault.exe	notepad.exe
3772	796	WerFault.exe	notepad.exe
1328	592	WerFault.exe	notepad.exe
1464	2172	WerFault.exe	notepad.exe
2948	2288	WerFault.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmp9754tmp.exetmp9754tmp.exe

pid	process
1504	tmp9754tmp.exe
1504	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe
2148	tmp9754tmp.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

0f65b4fa711b40e3c89a81fa69d8690f.exetmp9754tmp.exetmp9754tmp.exe

description	pid	process
Token: SeDebugPrivilege	2388	0f65b4fa711b40e3c89a81fa69d8690f.exe
Token: SeDebugPrivilege	1504	tmp9754tmp.exe
Token: SeDebugPrivilege	2148	tmp9754tmp.exe
Token: SeDebugPrivilege	2148	tmp9754tmp.exe
Token: SeDebugPrivilege	2148	tmp9754tmp.exe
Token: SeDebugPrivilege	2148	tmp9754tmp.exe
Token: SeDebugPrivilege	2148	tmp9754tmp.exe
Token: SeDebugPrivilege	2148	tmp9754tmp.exe
Token: SeDebugPrivilege	2148	tmp9754tmp.exe
Token: SeDebugPrivilege	2148	tmp9754tmp.exe
Token: SeDebugPrivilege	2148	tmp9754tmp.exe
Token: SeDebugPrivilege	2148	tmp9754tmp.exe
Token: SeDebugPrivilege	2148	tmp9754tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0f65b4fa711b40e3c89a81fa69d8690f.exetmp9754tmp.exetmp9754tmp.execmd.exe

description	pid	process	target process
PID 2388 wrote to memory of 1504	2388	0f65b4fa711b40e3c89a81fa69d8690f.exe	tmp9754tmp.exe
PID 2388 wrote to memory of 1504	2388	0f65b4fa711b40e3c89a81fa69d8690f.exe	tmp9754tmp.exe
PID 2388 wrote to memory of 1504	2388	0f65b4fa711b40e3c89a81fa69d8690f.exe	tmp9754tmp.exe
PID 1504 wrote to memory of 2148	1504	tmp9754tmp.exe	tmp9754tmp.exe
PID 1504 wrote to memory of 2148	1504	tmp9754tmp.exe	tmp9754tmp.exe
PID 1504 wrote to memory of 2148	1504	tmp9754tmp.exe	tmp9754tmp.exe
PID 1504 wrote to memory of 2148	1504	tmp9754tmp.exe	tmp9754tmp.exe
PID 1504 wrote to memory of 2148	1504	tmp9754tmp.exe	tmp9754tmp.exe
PID 1504 wrote to memory of 2148	1504	tmp9754tmp.exe	tmp9754tmp.exe
PID 1504 wrote to memory of 2148	1504	tmp9754tmp.exe	tmp9754tmp.exe
PID 1504 wrote to memory of 2148	1504	tmp9754tmp.exe	tmp9754tmp.exe
PID 1504 wrote to memory of 2148	1504	tmp9754tmp.exe	tmp9754tmp.exe
PID 2148 wrote to memory of 3172	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3172	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3172	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3172	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3172	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3172	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3172	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3172	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2288	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2288	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2288	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2288	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2288	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2288	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2288	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2288	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2716	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2716	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2716	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2716	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2716	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2716	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2716	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 2716	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3064	2148	tmp9754tmp.exe	cmd.exe
PID 2148 wrote to memory of 3064	2148	tmp9754tmp.exe	cmd.exe
PID 2148 wrote to memory of 3064	2148	tmp9754tmp.exe	cmd.exe
PID 3064 wrote to memory of 196	3064	cmd.exe	wscript.exe
PID 3064 wrote to memory of 196	3064	cmd.exe	wscript.exe
PID 3064 wrote to memory of 196	3064	cmd.exe	wscript.exe
PID 2148 wrote to memory of 4092	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 4092	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 4092	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 4092	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 4092	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 4092	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 4092	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 4092	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3516	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3516	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3516	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3516	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3516	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3516	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3516	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3516	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3960	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3960	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3960	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3960	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3960	2148	tmp9754tmp.exe	notepad.exe
PID 2148 wrote to memory of 3960	2148	tmp9754tmp.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\0f65b4fa711b40e3c89a81fa69d8690f.exe
"C:\Users\Admin\AppData\Local\Temp\0f65b4fa711b40e3c89a81fa69d8690f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\tmp9754tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9754tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\tmp9754tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp9754tmp.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
4⤵
PID:3172

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3172 -s 180
5⤵
- Program crash
PID:796

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
4⤵
PID:2288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2288 -s 180
5⤵
- Program crash
PID:2672

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
4⤵
PID:2716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2716 -s 112
5⤵
- Program crash
PID:2968

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
5⤵
- Drops startup file
PID:196

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
4⤵
PID:4092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4092 -s 180
5⤵
- Program crash
PID:2300

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
4⤵
PID:3516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3516 -s 180
5⤵
- Program crash
PID:4008

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
4⤵
PID:3960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3960 -s 180
5⤵
- Program crash
PID:2220

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
4⤵
PID:916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 916 -s 180
5⤵
- Program crash
PID:2244

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
4⤵
PID:796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 796 -s 192
5⤵
- Program crash
PID:3772

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
4⤵
PID:592

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 592 -s 180
5⤵
- Program crash
PID:1328

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
4⤵
PID:2172

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2172 -s 180
5⤵
- Program crash
PID:1464

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
4⤵
PID:2288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2288 -s 180
5⤵
- Program crash
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LKBNMTFJgl\r.vbs
MD5
19b2d791962e01151e4b6a40a90e8cd8

SHA1
a1ee500267dd1d457b3f840f8a00ba808bb46eb3

SHA256
67824e30ec5d2b61ffb266e8a37e9b929e82d507d09d21961b8293c99816c664

SHA512
4d39fd8f11e86490041190f1419273c702ccd85dcc603e5d7acc9d55cc60031ef1f7cc901a2c09b46d6bdc560a4c81d464c8495e7f9e8707ec7cd999f49c49fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9754tmp.exe
MD5
d572da9202196121d952231f26d65d07

SHA1
8934580e7ee3f3852e159298769bdd38bcaa12a0

SHA256
15337a846c1e262136124361b3624ddd3519cf3c7f93aba1ed75728a482fc662

SHA512
de311f400e980d5fc987d6a5262057823b9dc3f9e7930623fab16c9954977949b3b0901de136548db1f3a7b5d864dad2738c791d511241ce4e49e8d83f7dea5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9754tmp.exe
MD5
d572da9202196121d952231f26d65d07

SHA1
8934580e7ee3f3852e159298769bdd38bcaa12a0

SHA256
15337a846c1e262136124361b3624ddd3519cf3c7f93aba1ed75728a482fc662

SHA512
de311f400e980d5fc987d6a5262057823b9dc3f9e7930623fab16c9954977949b3b0901de136548db1f3a7b5d864dad2738c791d511241ce4e49e8d83f7dea5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9754tmp.exe
MD5
d572da9202196121d952231f26d65d07

SHA1
8934580e7ee3f3852e159298769bdd38bcaa12a0

SHA256
15337a846c1e262136124361b3624ddd3519cf3c7f93aba1ed75728a482fc662

SHA512
de311f400e980d5fc987d6a5262057823b9dc3f9e7930623fab16c9954977949b3b0901de136548db1f3a7b5d864dad2738c791d511241ce4e49e8d83f7dea5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url
MD5
e03e6937ba1878ace3d849b233adecfe

SHA1
affbb4f8b53af6cf35660b775a0a8f70fb95f8b5

SHA256
9846a8975f8e2dbc96cd18d5015c03b4d8226fddf69bcb99a0610c855b0a9e6d

SHA512
99ea03b8635d89409c6e65dc1dd1e995eac8c02e373f3b01faa7d715f347722075cc0d5d629914399505a2ca8ffb80bfa8cafa9d99a2e702d1fcd94fb0baeca9

Download Submit
memory/196-153-0x0000000000000000-mapping.dmp

Download
memory/592-183-0x0000000000A14AA0-mapping.dmp

Download
memory/796-178-0x0000000000A14AA0-mapping.dmp

Download
memory/916-173-0x0000000000A14AA0-mapping.dmp

Download
memory/1504-124-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/1504-126-0x00000000056F0000-0x0000000005BEE000-memory.dmp

Filesize
5.0MB

Download
memory/1504-127-0x0000000008B30000-0x0000000008D39000-memory.dmp

Filesize
2.0MB

Download
memory/1504-132-0x00000000050E0000-0x0000000005155000-memory.dmp

Filesize
468KB

Download
memory/1504-117-0x0000000000000000-mapping.dmp

Download
memory/1504-120-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/1504-125-0x00000000056F0000-0x0000000005BEE000-memory.dmp

Filesize
5.0MB

Download
memory/1504-122-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/1504-123-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/2148-133-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2148-136-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2148-134-0x0000000000404470-mapping.dmp

Download
memory/2172-188-0x0000000000A14AA0-mapping.dmp

Download
memory/2288-144-0x0000000000A14AA0-mapping.dmp

Download
memory/2288-191-0x0000000000400000-0x0000000000400138-memory.dmp

Filesize
312B

Download
memory/2288-193-0x0000000000A14AA0-mapping.dmp

Download
memory/2388-114-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2388-116-0x000000001AF50000-0x000000001AF52000-memory.dmp

Filesize
8KB

Download
memory/2716-149-0x0000000000A14AA0-mapping.dmp

Download
memory/3064-152-0x0000000000000000-mapping.dmp

Download
memory/3172-139-0x0000000000A14AA0-mapping.dmp

Download
memory/3172-138-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3172-137-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3516-163-0x0000000000A14AA0-mapping.dmp

Download
memory/3960-168-0x0000000000A14AA0-mapping.dmp

Download
memory/4092-158-0x0000000000A14AA0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads