47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536

General

Target

SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
Size

4.9MB
MD5

7b7cfe46454f0f7a9c046636eb66dda0
SHA1

9ef56977d9b96e81e42f94ef29b144698685e5d3
SHA256

47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536
SHA512

28e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

services64.exesihost32.exe

pid process

3096 services64.exe
3672 sihost32.exe

pid	process
3096	services64.exe
3672	sihost32.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exeservices64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	services64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	services64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3488-116-0x00007FF6C4BE0000-0x00007FF6C4BE1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\services64.exe	themida
C:\Users\Admin\AppData\Local\Temp\services64.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exeservices64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exeservices64.exe

pid process

3488 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
3096 services64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2216 schtasks.exe

pid	process
2216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exepowershell.exepowershell.exeservices64.exepowershell.exepowershell.exe

pid	process
3488	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
3096	services64.exe
3096	services64.exe
1376	powershell.exe
1376	powershell.exe
1376	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exepowershell.exepowershell.exeservices64.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3488	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeIncreaseQuotaPrivilege	4024	powershell.exe
Token: SeSecurityPrivilege	4024	powershell.exe
Token: SeTakeOwnershipPrivilege	4024	powershell.exe
Token: SeLoadDriverPrivilege	4024	powershell.exe
Token: SeSystemProfilePrivilege	4024	powershell.exe
Token: SeSystemtimePrivilege	4024	powershell.exe
Token: SeProfSingleProcessPrivilege	4024	powershell.exe
Token: SeIncBasePriorityPrivilege	4024	powershell.exe
Token: SeCreatePagefilePrivilege	4024	powershell.exe
Token: SeBackupPrivilege	4024	powershell.exe
Token: SeRestorePrivilege	4024	powershell.exe
Token: SeShutdownPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeSystemEnvironmentPrivilege	4024	powershell.exe
Token: SeRemoteShutdownPrivilege	4024	powershell.exe
Token: SeUndockPrivilege	4024	powershell.exe
Token: SeManageVolumePrivilege	4024	powershell.exe
Token: 33	4024	powershell.exe
Token: 34	4024	powershell.exe
Token: 35	4024	powershell.exe
Token: 36	4024	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeIncreaseQuotaPrivilege	1460	powershell.exe
Token: SeSecurityPrivilege	1460	powershell.exe
Token: SeTakeOwnershipPrivilege	1460	powershell.exe
Token: SeLoadDriverPrivilege	1460	powershell.exe
Token: SeSystemProfilePrivilege	1460	powershell.exe
Token: SeSystemtimePrivilege	1460	powershell.exe
Token: SeProfSingleProcessPrivilege	1460	powershell.exe
Token: SeIncBasePriorityPrivilege	1460	powershell.exe
Token: SeCreatePagefilePrivilege	1460	powershell.exe
Token: SeBackupPrivilege	1460	powershell.exe
Token: SeRestorePrivilege	1460	powershell.exe
Token: SeShutdownPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeSystemEnvironmentPrivilege	1460	powershell.exe
Token: SeRemoteShutdownPrivilege	1460	powershell.exe
Token: SeUndockPrivilege	1460	powershell.exe
Token: SeManageVolumePrivilege	1460	powershell.exe
Token: 33	1460	powershell.exe
Token: 34	1460	powershell.exe
Token: 35	1460	powershell.exe
Token: 36	1460	powershell.exe
Token: SeDebugPrivilege	3096	services64.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeIncreaseQuotaPrivilege	1376	powershell.exe
Token: SeSecurityPrivilege	1376	powershell.exe
Token: SeTakeOwnershipPrivilege	1376	powershell.exe
Token: SeLoadDriverPrivilege	1376	powershell.exe
Token: SeSystemProfilePrivilege	1376	powershell.exe
Token: SeSystemtimePrivilege	1376	powershell.exe
Token: SeProfSingleProcessPrivilege	1376	powershell.exe
Token: SeIncBasePriorityPrivilege	1376	powershell.exe
Token: SeCreatePagefilePrivilege	1376	powershell.exe
Token: SeBackupPrivilege	1376	powershell.exe
Token: SeRestorePrivilege	1376	powershell.exe
Token: SeShutdownPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeSystemEnvironmentPrivilege	1376	powershell.exe
Token: SeRemoteShutdownPrivilege	1376	powershell.exe
Token: SeUndockPrivilege	1376	powershell.exe
Token: SeManageVolumePrivilege	1376	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.execmd.execmd.execmd.exeservices64.execmd.exe

description	pid	process	target process
PID 3488 wrote to memory of 4056	3488	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 3488 wrote to memory of 4056	3488	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 4056 wrote to memory of 4024	4056	cmd.exe	powershell.exe
PID 4056 wrote to memory of 4024	4056	cmd.exe	powershell.exe
PID 3488 wrote to memory of 4000	3488	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 3488 wrote to memory of 4000	3488	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 4000 wrote to memory of 2216	4000	cmd.exe	schtasks.exe
PID 4000 wrote to memory of 2216	4000	cmd.exe	schtasks.exe
PID 4056 wrote to memory of 1460	4056	cmd.exe	powershell.exe
PID 4056 wrote to memory of 1460	4056	cmd.exe	powershell.exe
PID 3488 wrote to memory of 2776	3488	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 3488 wrote to memory of 2776	3488	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 2776 wrote to memory of 3096	2776	cmd.exe	services64.exe
PID 2776 wrote to memory of 3096	2776	cmd.exe	services64.exe
PID 3096 wrote to memory of 1244	3096	services64.exe	cmd.exe
PID 3096 wrote to memory of 1244	3096	services64.exe	cmd.exe
PID 1244 wrote to memory of 1376	1244	cmd.exe	powershell.exe
PID 1244 wrote to memory of 1376	1244	cmd.exe	powershell.exe
PID 3096 wrote to memory of 3672	3096	services64.exe	sihost32.exe
PID 3096 wrote to memory of 3672	3096	services64.exe	sihost32.exe
PID 1244 wrote to memory of 3948	1244	cmd.exe	powershell.exe
PID 1244 wrote to memory of 3948	1244	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
3⤵
- Creates scheduled task(s)
PID:2216

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\services64.exe
C:\Users\Admin\AppData\Local\Temp\services64.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3948

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:3672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bee584cec037481e8d200d6a76684358

SHA1
3e2e9a132611bbd1afd1436adc37a3ccf696aa1a

SHA256
a0b54819ae4dcc6565fdbf7a08878ef8ca9e20d8ed20d370261f34e531b81722

SHA512
de69165580250e1c8c4cbd6865b112c68e2f15cdc477dd2fb1151ecc8c99bafc1199bc9ca5bc31f7befa506cdcfc19fbc63c8b0d5b6797a9bf8646ff78605580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4dadd945bb651b8848dea60a33fd2ac8

SHA1
057a76c3bb2424cf3ddcd9a7a341c963b5c37a0e

SHA256
9585cac6f14fa119202edfdecd5dea8d398a7df3212240d389f9d0ddc163d818

SHA512
f6b5c7b1fec7a4b706e0dc3254f6ac55ae165bd3121567e5dbd684335246ea41970d217981a6fb667bf4c70bf3014ee8281bb6f871e5a6b1f6efb4bc0cd50754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1d15a30ab28cd1683d0655dce47825cd

SHA1
88e4cd609481d63f8ee63b5b97851b7ab080e05a

SHA256
62c3491daea8d827c46a907ae10d3d03d9f563fa3e95bbafc9f22a2252eb11b0

SHA512
1b0fc4db9e2672af2dd8e873c9845a4aebfef5a4f8b4c2ba78e14b32a29c84ee7c69ce5fe8953d7f08c0156355b232d8e71a8576c7bbf0ffd3b6eafb39a4a309

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe
MD5
7b7cfe46454f0f7a9c046636eb66dda0

SHA1
9ef56977d9b96e81e42f94ef29b144698685e5d3

SHA256
47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536

SHA512
28e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe
MD5
7b7cfe46454f0f7a9c046636eb66dda0

SHA1
9ef56977d9b96e81e42f94ef29b144698685e5d3

SHA256
47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536

SHA512
28e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
1674dd9c7a7775b73be309ad1c62ffd4

SHA1
44eca69c94e11a4ad6f186e3205d8a96150b228c

SHA256
d223e6e836d93bf5af48c21fe6ec7a9e31dd4b351111cce77f0b3cd0a2679c0a

SHA512
059918fc77df9663ad57879a50e1a2803a5d84c73117d2a991908043899a88cd16f4b1fb45bdfc93e3a446be6ddbe6546b11cc85553c245b810ea226fb93affd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
1674dd9c7a7775b73be309ad1c62ffd4

SHA1
44eca69c94e11a4ad6f186e3205d8a96150b228c

SHA256
d223e6e836d93bf5af48c21fe6ec7a9e31dd4b351111cce77f0b3cd0a2679c0a

SHA512
059918fc77df9663ad57879a50e1a2803a5d84c73117d2a991908043899a88cd16f4b1fb45bdfc93e3a446be6ddbe6546b11cc85553c245b810ea226fb93affd

Download Submit
memory/1244-214-0x0000000000000000-mapping.dmp

Download
memory/1376-240-0x000001A3A0EC0000-0x000001A3A0EC2000-memory.dmp

Filesize
8KB

Download
memory/1376-243-0x000001A3A0EC3000-0x000001A3A0EC5000-memory.dmp

Filesize
8KB

Download
memory/1376-215-0x0000000000000000-mapping.dmp

Download
memory/1376-246-0x000001A3A0EC6000-0x000001A3A0EC8000-memory.dmp

Filesize
8KB

Download
memory/1376-262-0x000001A3A0EC8000-0x000001A3A0EC9000-memory.dmp

Filesize
4KB

Download
memory/1460-205-0x000002114F9E8000-0x000002114F9E9000-memory.dmp

Filesize
4KB

Download
memory/1460-173-0x0000021137380000-0x0000021137382000-memory.dmp

Filesize
8KB

Download
memory/1460-189-0x000002114F9E0000-0x000002114F9E2000-memory.dmp

Filesize
8KB

Download
memory/1460-190-0x000002114F9E3000-0x000002114F9E5000-memory.dmp

Filesize
8KB

Download
memory/1460-179-0x0000021137380000-0x0000021137382000-memory.dmp

Filesize
8KB

Download
memory/1460-178-0x0000021137380000-0x0000021137382000-memory.dmp

Filesize
8KB

Download
memory/1460-169-0x0000021137380000-0x0000021137382000-memory.dmp

Filesize
8KB

Download
memory/1460-176-0x0000021137380000-0x0000021137382000-memory.dmp

Filesize
8KB

Download
memory/1460-174-0x0000021137380000-0x0000021137382000-memory.dmp

Filesize
8KB

Download
memory/1460-192-0x000002114F9E6000-0x000002114F9E8000-memory.dmp

Filesize
8KB

Download
memory/1460-170-0x0000021137380000-0x0000021137382000-memory.dmp

Filesize
8KB

Download
memory/1460-164-0x0000000000000000-mapping.dmp

Download
memory/1460-166-0x0000021137380000-0x0000021137382000-memory.dmp

Filesize
8KB

Download
memory/1460-168-0x0000021137380000-0x0000021137382000-memory.dmp

Filesize
8KB

Download
memory/1460-167-0x0000021137380000-0x0000021137382000-memory.dmp

Filesize
8KB

Download
memory/2216-138-0x0000000000000000-mapping.dmp

Download
memory/2776-206-0x0000000000000000-mapping.dmp

Download
memory/3096-219-0x00007FFD00030000-0x00007FFD00031000-memory.dmp

Filesize
4KB

Download
memory/3096-208-0x0000000000000000-mapping.dmp

Download
memory/3096-217-0x00007FFD00000000-0x00007FFD00002000-memory.dmp

Filesize
8KB

Download
memory/3096-220-0x0000000002EE0000-0x0000000002EE2000-memory.dmp

Filesize
8KB

Download
memory/3488-118-0x00007FFD00000000-0x00007FFD00002000-memory.dmp

Filesize
8KB

Download
memory/3488-119-0x00007FFD00030000-0x00007FFD00031000-memory.dmp

Filesize
4KB

Download
memory/3488-116-0x00007FF6C4BE0000-0x00007FF6C4BE1000-memory.dmp

Filesize
4KB

Download
memory/3488-132-0x000000001C570000-0x000000001C572000-memory.dmp

Filesize
8KB

Download
memory/3488-120-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3672-245-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/3672-225-0x0000000000000000-mapping.dmp

Download
memory/3948-280-0x0000023C4ACA0000-0x0000023C4ACA2000-memory.dmp

Filesize
8KB

Download
memory/3948-264-0x0000000000000000-mapping.dmp

Download
memory/3948-282-0x0000023C4ACA3000-0x0000023C4ACA5000-memory.dmp

Filesize
8KB

Download
memory/3948-284-0x0000023C4ACA6000-0x0000023C4ACA8000-memory.dmp

Filesize
8KB

Download
memory/3948-302-0x0000023C4ACA8000-0x0000023C4ACA9000-memory.dmp

Filesize
4KB

Download
memory/4000-137-0x0000000000000000-mapping.dmp

Download
memory/4024-133-0x00000269801A0000-0x00000269801A2000-memory.dmp

Filesize
8KB

Download
memory/4024-134-0x00000269801A3000-0x00000269801A5000-memory.dmp

Filesize
8KB

Download
memory/4024-128-0x0000026980140000-0x0000026980141000-memory.dmp

Filesize
4KB

Download
memory/4024-126-0x00000269E78C0000-0x00000269E78C2000-memory.dmp

Filesize
8KB

Download
memory/4024-125-0x00000269E78C0000-0x00000269E78C2000-memory.dmp

Filesize
8KB

Download
memory/4024-123-0x00000269E78C0000-0x00000269E78C2000-memory.dmp

Filesize
8KB

Download
memory/4024-129-0x00000269E78C0000-0x00000269E78C2000-memory.dmp

Filesize
8KB

Download
memory/4024-124-0x00000269E78C0000-0x00000269E78C2000-memory.dmp

Filesize
8KB

Download
memory/4024-122-0x0000000000000000-mapping.dmp

Download
memory/4024-141-0x00000269E78C0000-0x00000269E78C2000-memory.dmp

Filesize
8KB

Download
memory/4024-130-0x00000269E78C0000-0x00000269E78C2000-memory.dmp

Filesize
8KB

Download
memory/4024-131-0x0000026980CC0000-0x0000026980CC1000-memory.dmp

Filesize
4KB

Download
memory/4024-163-0x00000269E78C0000-0x00000269E78C2000-memory.dmp

Filesize
8KB

Download
memory/4024-127-0x00000269E78C0000-0x00000269E78C2000-memory.dmp

Filesize
8KB

Download
memory/4024-187-0x00000269801A8000-0x00000269801A9000-memory.dmp

Filesize
4KB

Download
memory/4024-135-0x00000269E78C0000-0x00000269E78C2000-memory.dmp

Filesize
8KB

Download
memory/4024-139-0x00000269801A6000-0x00000269801A8000-memory.dmp

Filesize
8KB

Download
memory/4024-140-0x00000269E78C0000-0x00000269E78C2000-memory.dmp

Filesize
8KB

Download
memory/4056-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads