47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536

General

Target

47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe
Size

4.9MB
MD5

7b7cfe46454f0f7a9c046636eb66dda0
SHA1

9ef56977d9b96e81e42f94ef29b144698685e5d3
SHA256

47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536
SHA512

28e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

services64.exesihost32.exe

pid process

1724 services64.exe
420 sihost32.exe

pid	process
1724	services64.exe
420	sihost32.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exeservices64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	services64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	services64.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2376-119-0x00007FF7D0550000-0x00007FF7D0551000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\services64.exe	themida
C:\Users\Admin\AppData\Local\Temp\services64.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exeservices64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exeservices64.exe

pid process

2376 47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe
1724 services64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1640 schtasks.exe

pid	process
1640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exepowershell.exepowershell.exeservices64.exepowershell.exepowershell.exe

pid	process
2376	47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
3356	powershell.exe
3356	powershell.exe
3356	powershell.exe
1724	services64.exe
1724	services64.exe
3260	powershell.exe
3260	powershell.exe
3260	powershell.exe
2668	powershell.exe
2668	powershell.exe
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exepowershell.exepowershell.exeservices64.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2376	47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeIncreaseQuotaPrivilege	3664	powershell.exe
Token: SeSecurityPrivilege	3664	powershell.exe
Token: SeTakeOwnershipPrivilege	3664	powershell.exe
Token: SeLoadDriverPrivilege	3664	powershell.exe
Token: SeSystemProfilePrivilege	3664	powershell.exe
Token: SeSystemtimePrivilege	3664	powershell.exe
Token: SeProfSingleProcessPrivilege	3664	powershell.exe
Token: SeIncBasePriorityPrivilege	3664	powershell.exe
Token: SeCreatePagefilePrivilege	3664	powershell.exe
Token: SeBackupPrivilege	3664	powershell.exe
Token: SeRestorePrivilege	3664	powershell.exe
Token: SeShutdownPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeSystemEnvironmentPrivilege	3664	powershell.exe
Token: SeRemoteShutdownPrivilege	3664	powershell.exe
Token: SeUndockPrivilege	3664	powershell.exe
Token: SeManageVolumePrivilege	3664	powershell.exe
Token: 33	3664	powershell.exe
Token: 34	3664	powershell.exe
Token: 35	3664	powershell.exe
Token: 36	3664	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeIncreaseQuotaPrivilege	3356	powershell.exe
Token: SeSecurityPrivilege	3356	powershell.exe
Token: SeTakeOwnershipPrivilege	3356	powershell.exe
Token: SeLoadDriverPrivilege	3356	powershell.exe
Token: SeSystemProfilePrivilege	3356	powershell.exe
Token: SeSystemtimePrivilege	3356	powershell.exe
Token: SeProfSingleProcessPrivilege	3356	powershell.exe
Token: SeIncBasePriorityPrivilege	3356	powershell.exe
Token: SeCreatePagefilePrivilege	3356	powershell.exe
Token: SeBackupPrivilege	3356	powershell.exe
Token: SeRestorePrivilege	3356	powershell.exe
Token: SeShutdownPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeSystemEnvironmentPrivilege	3356	powershell.exe
Token: SeRemoteShutdownPrivilege	3356	powershell.exe
Token: SeUndockPrivilege	3356	powershell.exe
Token: SeManageVolumePrivilege	3356	powershell.exe
Token: 33	3356	powershell.exe
Token: 34	3356	powershell.exe
Token: 35	3356	powershell.exe
Token: 36	3356	powershell.exe
Token: SeDebugPrivilege	1724	services64.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeIncreaseQuotaPrivilege	3260	powershell.exe
Token: SeSecurityPrivilege	3260	powershell.exe
Token: SeTakeOwnershipPrivilege	3260	powershell.exe
Token: SeLoadDriverPrivilege	3260	powershell.exe
Token: SeSystemProfilePrivilege	3260	powershell.exe
Token: SeSystemtimePrivilege	3260	powershell.exe
Token: SeProfSingleProcessPrivilege	3260	powershell.exe
Token: SeIncBasePriorityPrivilege	3260	powershell.exe
Token: SeCreatePagefilePrivilege	3260	powershell.exe
Token: SeBackupPrivilege	3260	powershell.exe
Token: SeRestorePrivilege	3260	powershell.exe
Token: SeShutdownPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeSystemEnvironmentPrivilege	3260	powershell.exe
Token: SeRemoteShutdownPrivilege	3260	powershell.exe
Token: SeUndockPrivilege	3260	powershell.exe
Token: SeManageVolumePrivilege	3260	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.execmd.execmd.execmd.exeservices64.execmd.exe

description	pid	process	target process
PID 2376 wrote to memory of 2704	2376	47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe	cmd.exe
PID 2376 wrote to memory of 2704	2376	47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe	cmd.exe
PID 2704 wrote to memory of 3664	2704	cmd.exe	powershell.exe
PID 2704 wrote to memory of 3664	2704	cmd.exe	powershell.exe
PID 2376 wrote to memory of 824	2376	47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe	cmd.exe
PID 2376 wrote to memory of 824	2376	47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe	cmd.exe
PID 824 wrote to memory of 1640	824	cmd.exe	schtasks.exe
PID 824 wrote to memory of 1640	824	cmd.exe	schtasks.exe
PID 2704 wrote to memory of 3356	2704	cmd.exe	powershell.exe
PID 2704 wrote to memory of 3356	2704	cmd.exe	powershell.exe
PID 2376 wrote to memory of 1248	2376	47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe	cmd.exe
PID 2376 wrote to memory of 1248	2376	47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe	cmd.exe
PID 1248 wrote to memory of 1724	1248	cmd.exe	services64.exe
PID 1248 wrote to memory of 1724	1248	cmd.exe	services64.exe
PID 1724 wrote to memory of 1996	1724	services64.exe	cmd.exe
PID 1724 wrote to memory of 1996	1724	services64.exe	cmd.exe
PID 1996 wrote to memory of 3260	1996	cmd.exe	powershell.exe
PID 1996 wrote to memory of 3260	1996	cmd.exe	powershell.exe
PID 1724 wrote to memory of 420	1724	services64.exe	sihost32.exe
PID 1724 wrote to memory of 420	1724	services64.exe	sihost32.exe
PID 1996 wrote to memory of 2668	1996	cmd.exe	powershell.exe
PID 1996 wrote to memory of 2668	1996	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe
"C:\Users\Admin\AppData\Local\Temp\47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
3⤵
- Creates scheduled task(s)
PID:1640

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\services64.exe
C:\Users\Admin\AppData\Local\Temp\services64.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:420

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4f4d544f88233280c84be1456ab652be

SHA1
2b37aba2955b88551820c17e43e38abad35214cf

SHA256
f6883218ef771d0e0457bd36991368aeab98b4d1055093ce77b390fb7dfc727a

SHA512
abd0c55132dfaf2c08f49af1ec38116961d107e51bc0ce00f964f335f3091d95ad3012ade971f39236c5fa7ab96fca8928658b75ba6909800cb7900143f4e623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4ed2874f9ea504c445fab678b6f81e2d

SHA1
71d5e49fca404a74b3f323e60c677b700706eae5

SHA256
c5184197c6f6bde70e0acfb3a212b19e27be897945f47dd0ce92772e04974f1e

SHA512
f7cebca47ed1e5ae1fda0bad427f39721b4f9863b37bafe58dbccf872e673c6ba620e288a7a2a9c90f1fd2f24e5589d624cab141a79dbbdcaa023e9c3e106479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a38c4998cdb79d21860f57907b3f7c50

SHA1
004bd86e4546359cfe4e0c576da6d082cb84ca0e

SHA256
3ef1e1d22cef1618f5b9cd42007ae7d9ef7a3b2d2c0d8432df23d9ebc4001298

SHA512
84ae4a6d8534d1dd4145542e99505ff11bf58ca56bce73c7c17b7df63b41ab6aca4043dec95ccfbf3e932e2462b07f5635eca6a7d6c6d4a7320258abe4f6bf18

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe
MD5
7b7cfe46454f0f7a9c046636eb66dda0

SHA1
9ef56977d9b96e81e42f94ef29b144698685e5d3

SHA256
47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536

SHA512
28e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe
MD5
7b7cfe46454f0f7a9c046636eb66dda0

SHA1
9ef56977d9b96e81e42f94ef29b144698685e5d3

SHA256
47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536

SHA512
28e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
1674dd9c7a7775b73be309ad1c62ffd4

SHA1
44eca69c94e11a4ad6f186e3205d8a96150b228c

SHA256
d223e6e836d93bf5af48c21fe6ec7a9e31dd4b351111cce77f0b3cd0a2679c0a

SHA512
059918fc77df9663ad57879a50e1a2803a5d84c73117d2a991908043899a88cd16f4b1fb45bdfc93e3a446be6ddbe6546b11cc85553c245b810ea226fb93affd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
1674dd9c7a7775b73be309ad1c62ffd4

SHA1
44eca69c94e11a4ad6f186e3205d8a96150b228c

SHA256
d223e6e836d93bf5af48c21fe6ec7a9e31dd4b351111cce77f0b3cd0a2679c0a

SHA512
059918fc77df9663ad57879a50e1a2803a5d84c73117d2a991908043899a88cd16f4b1fb45bdfc93e3a446be6ddbe6546b11cc85553c245b810ea226fb93affd

Download Submit
memory/420-229-0x0000000000000000-mapping.dmp

Download
memory/420-249-0x0000000003610000-0x0000000003612000-memory.dmp

Filesize
8KB

Download
memory/824-133-0x0000000000000000-mapping.dmp

Download
memory/1248-211-0x0000000000000000-mapping.dmp

Download
memory/1640-134-0x0000000000000000-mapping.dmp

Download
memory/1724-239-0x00007FF900000000-0x00007FF900002000-memory.dmp

Filesize
8KB

Download
memory/1724-240-0x00007FF900030000-0x00007FF900031000-memory.dmp

Filesize
4KB

Download
memory/1724-242-0x0000000000AA0000-0x0000000000AA2000-memory.dmp

Filesize
8KB

Download
memory/1724-213-0x0000000000000000-mapping.dmp

Download
memory/1996-219-0x0000000000000000-mapping.dmp

Download
memory/2376-138-0x00007FF900030000-0x00007FF900031000-memory.dmp

Filesize
4KB

Download
memory/2376-121-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2376-119-0x00007FF7D0550000-0x00007FF7D0551000-memory.dmp

Filesize
4KB

Download
memory/2376-139-0x0000000002A50000-0x0000000002A52000-memory.dmp

Filesize
8KB

Download
memory/2376-136-0x00007FF900000000-0x00007FF900002000-memory.dmp

Filesize
8KB

Download
memory/2668-311-0x0000015ADF518000-0x0000015ADF519000-memory.dmp

Filesize
4KB

Download
memory/2668-309-0x0000015ADF516000-0x0000015ADF518000-memory.dmp

Filesize
8KB

Download
memory/2668-279-0x0000015ADF513000-0x0000015ADF515000-memory.dmp

Filesize
8KB

Download
memory/2668-278-0x0000015ADF510000-0x0000015ADF512000-memory.dmp

Filesize
8KB

Download
memory/2668-269-0x0000000000000000-mapping.dmp

Download
memory/2704-122-0x0000000000000000-mapping.dmp

Download
memory/3260-277-0x000001ADFC008000-0x000001ADFC009000-memory.dmp

Filesize
4KB

Download
memory/3260-247-0x000001ADFC003000-0x000001ADFC005000-memory.dmp

Filesize
8KB

Download
memory/3260-220-0x0000000000000000-mapping.dmp

Download
memory/3260-250-0x000001ADFC006000-0x000001ADFC008000-memory.dmp

Filesize
8KB

Download
memory/3260-244-0x000001ADFC000000-0x000001ADFC002000-memory.dmp

Filesize
8KB

Download
memory/3356-176-0x00000196F06D0000-0x00000196F06D2000-memory.dmp

Filesize
8KB

Download
memory/3356-174-0x00000196EED20000-0x00000196EED22000-memory.dmp

Filesize
8KB

Download
memory/3356-179-0x00000196EED20000-0x00000196EED22000-memory.dmp

Filesize
8KB

Download
memory/3356-180-0x00000196EED20000-0x00000196EED22000-memory.dmp

Filesize
8KB

Download
memory/3356-181-0x00000196EED20000-0x00000196EED22000-memory.dmp

Filesize
8KB

Download
memory/3356-183-0x00000196EED20000-0x00000196EED22000-memory.dmp

Filesize
8KB

Download
memory/3356-184-0x00000196EED20000-0x00000196EED22000-memory.dmp

Filesize
8KB

Download
memory/3356-210-0x00000196F06D8000-0x00000196F06D9000-memory.dmp

Filesize
4KB

Download
memory/3356-209-0x00000196F06D6000-0x00000196F06D8000-memory.dmp

Filesize
8KB

Download
memory/3356-175-0x00000196F06D3000-0x00000196F06D5000-memory.dmp

Filesize
8KB

Download
memory/3356-172-0x00000196EED20000-0x00000196EED22000-memory.dmp

Filesize
8KB

Download
memory/3356-171-0x00000196EED20000-0x00000196EED22000-memory.dmp

Filesize
8KB

Download
memory/3356-170-0x00000196EED20000-0x00000196EED22000-memory.dmp

Filesize
8KB

Download
memory/3356-168-0x0000000000000000-mapping.dmp

Download
memory/3664-173-0x000001C1630B8000-0x000001C1630B9000-memory.dmp

Filesize
4KB

Download
memory/3664-129-0x000001C162E50000-0x000001C162E52000-memory.dmp

Filesize
8KB

Download
memory/3664-128-0x000001C1649E0000-0x000001C1649E1000-memory.dmp

Filesize
4KB

Download
memory/3664-127-0x000001C162E50000-0x000001C162E52000-memory.dmp

Filesize
8KB

Download
memory/3664-126-0x000001C162E50000-0x000001C162E52000-memory.dmp

Filesize
8KB

Download
memory/3664-125-0x000001C162E50000-0x000001C162E52000-memory.dmp

Filesize
8KB

Download
memory/3664-124-0x000001C162E50000-0x000001C162E52000-memory.dmp

Filesize
8KB

Download
memory/3664-123-0x0000000000000000-mapping.dmp

Download
memory/3664-130-0x000001C162E50000-0x000001C162E52000-memory.dmp

Filesize
8KB

Download
memory/3664-131-0x000001C162E50000-0x000001C162E52000-memory.dmp

Filesize
8KB

Download
memory/3664-132-0x000001C17D9B0000-0x000001C17D9B1000-memory.dmp

Filesize
4KB

Download
memory/3664-135-0x000001C162E50000-0x000001C162E52000-memory.dmp

Filesize
8KB

Download
memory/3664-140-0x000001C1630B0000-0x000001C1630B2000-memory.dmp

Filesize
8KB

Download
memory/3664-167-0x000001C162E50000-0x000001C162E52000-memory.dmp

Filesize
8KB

Download
memory/3664-166-0x000001C162E50000-0x000001C162E52000-memory.dmp

Filesize
8KB

Download
memory/3664-164-0x000001C162E50000-0x000001C162E52000-memory.dmp

Filesize
8KB

Download
memory/3664-163-0x000001C162E50000-0x000001C162E52000-memory.dmp

Filesize
8KB

Download
memory/3664-158-0x000001C1630B6000-0x000001C1630B8000-memory.dmp

Filesize
8KB

Download
memory/3664-141-0x000001C1630B3000-0x000001C1630B5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads