4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024

General

Target

4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
Size

423KB
MD5

055c2fba242d03ae153be4a796c55ae2
SHA1

be71b94e30d5465d8b72e1fc7c0137024f97baee
SHA256

4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024
SHA512

20b31f6db488d26c1f7564106e455a77461e8a9934718e72c6c917e3ec688a9a597a05f1b93584fd88d3e867f09a470eb90094e27c2525939894973d31498890

Score

9^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\FormatDeny.png.crypted	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1000	vssadmin.exe
580	vssadmin.exe
1140	vssadmin.exe
2216	vssadmin.exe
2136	vssadmin.exe
2064	vssadmin.exe
3744	vssadmin.exe
3524	vssadmin.exe
2788	vssadmin.exe
1328	vssadmin.exe
908	vssadmin.exe
3948	vssadmin.exe
196	vssadmin.exe
2212	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3160 taskkill.exe
2952 taskkill.exe
3772 taskkill.exe
Runs net.exe

pid	process
3160	taskkill.exe
2952	taskkill.exe
3772	taskkill.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe

pid	process
740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exetaskkill.exetaskkill.exetaskkill.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
Token: SeDebugPrivilege	3160	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeBackupPrivilege	3148	vssvc.exe
Token: SeRestorePrivilege	3148	vssvc.exe
Token: SeAuditPrivilege	3148	vssvc.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 740 wrote to memory of 4048	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	net.exe
PID 740 wrote to memory of 4048	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	net.exe
PID 4048 wrote to memory of 3888	4048	net.exe	net1.exe
PID 4048 wrote to memory of 3888	4048	net.exe	net1.exe
PID 740 wrote to memory of 496	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	net.exe
PID 740 wrote to memory of 496	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	net.exe
PID 496 wrote to memory of 3148	496	net.exe	net1.exe
PID 496 wrote to memory of 3148	496	net.exe	net1.exe
PID 740 wrote to memory of 192	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	net.exe
PID 740 wrote to memory of 192	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	net.exe
PID 192 wrote to memory of 2272	192	net.exe	net1.exe
PID 192 wrote to memory of 2272	192	net.exe	net1.exe
PID 740 wrote to memory of 3700	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	net.exe
PID 740 wrote to memory of 3700	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	net.exe
PID 3700 wrote to memory of 3380	3700	net.exe	net1.exe
PID 3700 wrote to memory of 3380	3700	net.exe	net1.exe
PID 740 wrote to memory of 3140	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	net.exe
PID 740 wrote to memory of 3140	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	net.exe
PID 3140 wrote to memory of 2212	3140	net.exe	net1.exe
PID 3140 wrote to memory of 2212	3140	net.exe	net1.exe
PID 740 wrote to memory of 2164	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	sc.exe
PID 740 wrote to memory of 2164	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	sc.exe
PID 740 wrote to memory of 3872	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	sc.exe
PID 740 wrote to memory of 3872	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	sc.exe
PID 740 wrote to memory of 1208	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	sc.exe
PID 740 wrote to memory of 1208	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	sc.exe
PID 740 wrote to memory of 3976	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	sc.exe
PID 740 wrote to memory of 3976	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	sc.exe
PID 740 wrote to memory of 3160	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	taskkill.exe
PID 740 wrote to memory of 3160	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	taskkill.exe
PID 740 wrote to memory of 2952	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	taskkill.exe
PID 740 wrote to memory of 2952	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	taskkill.exe
PID 740 wrote to memory of 3772	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	taskkill.exe
PID 740 wrote to memory of 3772	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	taskkill.exe
PID 740 wrote to memory of 2788	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 2788	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 1328	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 1328	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 2216	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 2216	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 2064	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 2064	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 2136	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 2136	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 1000	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 1000	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 3744	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 3744	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 580	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 580	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 908	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 908	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 196	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 196	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 1140	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 1140	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 2212	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 2212	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 3524	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 3524	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 3948	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe
PID 740 wrote to memory of 3948	740	4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
"C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SYSTEM32\net.exe
"net.exe" stop avpsus /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:3888

C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:3148

C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfewc /y
2⤵
- Suspicious use of WriteProcessMemory
PID:192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:2272

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:3380

C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:2212

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:2164

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:3872

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1208

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:3976

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2788

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:1328

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:2216

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2064

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2136

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1000

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3744

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:580

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:908

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:196

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1140

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2212

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3524

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:3948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/192-121-0x0000000000000000-mapping.dmp

Download
memory/196-143-0x0000000000000000-mapping.dmp

Download
memory/496-119-0x0000000000000000-mapping.dmp

Download
memory/580-141-0x0000000000000000-mapping.dmp

Download
memory/740-114-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/740-118-0x0000000002C10000-0x0000000002C12000-memory.dmp

Filesize
8KB

Download
memory/908-142-0x0000000000000000-mapping.dmp

Download
memory/1000-139-0x0000000000000000-mapping.dmp

Download
memory/1140-144-0x0000000000000000-mapping.dmp

Download
memory/1208-129-0x0000000000000000-mapping.dmp

Download
memory/1328-135-0x0000000000000000-mapping.dmp

Download
memory/2064-137-0x0000000000000000-mapping.dmp

Download
memory/2136-138-0x0000000000000000-mapping.dmp

Download
memory/2164-127-0x0000000000000000-mapping.dmp

Download
memory/2212-126-0x0000000000000000-mapping.dmp

Download
memory/2212-145-0x0000000000000000-mapping.dmp

Download
memory/2216-136-0x0000000000000000-mapping.dmp

Download
memory/2272-122-0x0000000000000000-mapping.dmp

Download
memory/2788-134-0x0000000000000000-mapping.dmp

Download
memory/2952-132-0x0000000000000000-mapping.dmp

Download
memory/3140-125-0x0000000000000000-mapping.dmp

Download
memory/3148-120-0x0000000000000000-mapping.dmp

Download
memory/3160-131-0x0000000000000000-mapping.dmp

Download
memory/3380-124-0x0000000000000000-mapping.dmp

Download
memory/3524-146-0x0000000000000000-mapping.dmp

Download
memory/3700-123-0x0000000000000000-mapping.dmp

Download
memory/3744-140-0x0000000000000000-mapping.dmp

Download
memory/3772-133-0x0000000000000000-mapping.dmp

Download
memory/3872-128-0x0000000000000000-mapping.dmp

Download
memory/3888-117-0x0000000000000000-mapping.dmp

Download
memory/3948-147-0x0000000000000000-mapping.dmp

Download
memory/3976-130-0x0000000000000000-mapping.dmp

Download
memory/4048-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads