4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83

General

Target

4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe
Size

6.0MB
MD5

910713f54a0416c342cc46bbed1c53e3
SHA1

4363b9485c120676e5151974a4f682460a99d9d9
SHA256

4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83
SHA512

7e67cf773c0cd4afeae39b9a75e688d8c95f233fa8b0a40c1b07a786e4a108811e3a44acfb4b75a25ceae3dd2f15236b0c09ea272ea5621e1ddd8274ab2ccb50

Score

10^/10

evasion themida trojan

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1788 created 1256 1788 WerFault.exe cleoidvp.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 3 IoCs

Processes:

before.execleoidvp.exeIntelRapid.exe

pid process

4716 before.exe
1256 cleoidvp.exe
2368 IntelRapid.exe

description	pid	process	target process
PID 1788 created 1256	1788	WerFault.exe	cleoidvp.exe

pid	process
4716	before.exe
1256	cleoidvp.exe
2368	IntelRapid.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

before.exeIntelRapid.execleoidvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	before.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	before.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cleoidvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cleoidvp.exe

Drops startup file 1 IoCs

Processes:

before.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk before.exe
Loads dropped DLL 1 IoCs

Processes:

4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe

pid process

4020 4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	before.exe

pid	process
4020	4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\droopt\before.exe	themida
C:\Users\Admin\AppData\Local\Temp\droopt\before.exe	themida
C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe	themida
behavioral2/memory/4716-135-0x00007FF7CF7C0000-0x00007FF7D00D9000-memory.dmp	themida
behavioral2/memory/4716-136-0x00007FF7CF7C0000-0x00007FF7D00D9000-memory.dmp	themida
behavioral2/memory/4716-138-0x00007FF7CF7C0000-0x00007FF7D00D9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral2/memory/2368-141-0x00007FF73D0D0000-0x00007FF73D9E9000-memory.dmp	themida
behavioral2/memory/2368-142-0x00007FF73D0D0000-0x00007FF73D9E9000-memory.dmp	themida
behavioral2/memory/2368-143-0x00007FF73D0D0000-0x00007FF73D9E9000-memory.dmp	themida
behavioral2/memory/1256-144-0x00000000007F0000-0x0000000000EB1000-memory.dmp	themida
behavioral2/memory/1256-145-0x00000000007F0000-0x0000000000EB1000-memory.dmp	themida
behavioral2/memory/1256-146-0x00000000007F0000-0x0000000000EB1000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

before.exeIntelRapid.execleoidvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	before.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cleoidvp.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

before.exeIntelRapid.execleoidvp.exe

pid process

4716 before.exe
2368 IntelRapid.exe
1256 cleoidvp.exe

flow	ioc
26	ip-api.com

pid	process
4716	before.exe
2368	IntelRapid.exe
1256	cleoidvp.exe

Drops file in Program Files directory 3 IoCs

Processes:

4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acledit.dll	4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe

Drops file in Windows directory 9 IoCs

Processes:

svchost.exeWerFault.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3136 1256 WerFault.exe cleoidvp.exe

pid	pid_target	process	target process
3136	1256	WerFault.exe	cleoidvp.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cleoidvp.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cleoidvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cleoidvp.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

2368 IntelRapid.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cleoidvp.exeWerFault.exe

pid process

1256 cleoidvp.exe
1256 cleoidvp.exe
3136 WerFault.exe
3136 WerFault.exe

pid	process
2368	IntelRapid.exe

pid	process
1256	cleoidvp.exe
1256	cleoidvp.exe
3136	WerFault.exe
3136	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeWerFault.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	1524	svchost.exe
Token: SeCreatePagefilePrivilege	1524	svchost.exe
Token: SeShutdownPrivilege	1524	svchost.exe
Token: SeCreatePagefilePrivilege	1524	svchost.exe
Token: SeShutdownPrivilege	1524	svchost.exe
Token: SeCreatePagefilePrivilege	1524	svchost.exe
Token: SeRestorePrivilege	3136	WerFault.exe
Token: SeBackupPrivilege	3136	WerFault.exe
Token: SeBackupPrivilege	3136	WerFault.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe
Token: SeRestorePrivilege	4300	TiWorker.exe
Token: SeSecurityPrivilege	4300	TiWorker.exe
Token: SeBackupPrivilege	4300	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exebefore.exeWerFault.exe

description	pid	process	target process
PID 4020 wrote to memory of 4716	4020	4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe	before.exe
PID 4020 wrote to memory of 4716	4020	4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe	before.exe
PID 4020 wrote to memory of 1256	4020	4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe	cleoidvp.exe
PID 4020 wrote to memory of 1256	4020	4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe	cleoidvp.exe
PID 4020 wrote to memory of 1256	4020	4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe	cleoidvp.exe
PID 4716 wrote to memory of 2368	4716	before.exe	IntelRapid.exe
PID 4716 wrote to memory of 2368	4716	before.exe	IntelRapid.exe
PID 1788 wrote to memory of 1256	1788	WerFault.exe	cleoidvp.exe
PID 1788 wrote to memory of 1256	1788	WerFault.exe	cleoidvp.exe

C:\Users\Admin\AppData\Local\Temp\4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe
"C:\Users\Admin\AppData\Local\Temp\4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\droopt\before.exe
"C:\Users\Admin\AppData\Local\Temp\droopt\before.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4716

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:2368

C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe
"C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1340
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1256 -ip 1256
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

5

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\droopt\before.exe
MD5
a5f561f29f736a1f99ef726773628fa3

SHA1
acf172fa11ee345a6041784ef9f1021307f598dd

SHA256
333acbfe28976ee28514bb425c2c461026572d0003a7378fba366716e408d822

SHA512
ff75d12f607e407d190802be88f319cc6750f3898bc411199f3fd6976e24ed55296fed7ef562f97cbeb61cb1c0b3b635fba999c0780561c2f5a1b88d2b56160c

Download Submit
C:\Users\Admin\AppData\Local\Temp\droopt\before.exe
MD5
a5f561f29f736a1f99ef726773628fa3

SHA1
acf172fa11ee345a6041784ef9f1021307f598dd

SHA256
333acbfe28976ee28514bb425c2c461026572d0003a7378fba366716e408d822

SHA512
ff75d12f607e407d190802be88f319cc6750f3898bc411199f3fd6976e24ed55296fed7ef562f97cbeb61cb1c0b3b635fba999c0780561c2f5a1b88d2b56160c

Download Submit
C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe
MD5
fda089a638a02b64c5175fbed3e4918b

SHA1
eef6c75a650b5d1f2f34b988fc88ceb328312c15

SHA256
f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f

SHA512
7a9d15d37fa40898b49015f457546439a61ba7ba644b082d1c6bd0f10a6a7fded631937e255839beadf966c6577650f30601333bbb852a1a9625d1e561355c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe
MD5
fda089a638a02b64c5175fbed3e4918b

SHA1
eef6c75a650b5d1f2f34b988fc88ceb328312c15

SHA256
f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f

SHA512
7a9d15d37fa40898b49015f457546439a61ba7ba644b082d1c6bd0f10a6a7fded631937e255839beadf966c6577650f30601333bbb852a1a9625d1e561355c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi6DEB.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
a5f561f29f736a1f99ef726773628fa3

SHA1
acf172fa11ee345a6041784ef9f1021307f598dd

SHA256
333acbfe28976ee28514bb425c2c461026572d0003a7378fba366716e408d822

SHA512
ff75d12f607e407d190802be88f319cc6750f3898bc411199f3fd6976e24ed55296fed7ef562f97cbeb61cb1c0b3b635fba999c0780561c2f5a1b88d2b56160c

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
a5f561f29f736a1f99ef726773628fa3

SHA1
acf172fa11ee345a6041784ef9f1021307f598dd

SHA256
333acbfe28976ee28514bb425c2c461026572d0003a7378fba366716e408d822

SHA512
ff75d12f607e407d190802be88f319cc6750f3898bc411199f3fd6976e24ed55296fed7ef562f97cbeb61cb1c0b3b635fba999c0780561c2f5a1b88d2b56160c

Download Submit
memory/1256-145-0x00000000007F0000-0x0000000000EB1000-memory.dmp

Filesize
6.8MB

Download
memory/1256-147-0x00000000778C4000-0x00000000778C6000-memory.dmp

Filesize
8KB

Download
memory/1256-146-0x00000000007F0000-0x0000000000EB1000-memory.dmp

Filesize
6.8MB

Download
memory/1256-144-0x00000000007F0000-0x0000000000EB1000-memory.dmp

Filesize
6.8MB

Download
memory/1524-148-0x000002A748B20000-0x000002A748B30000-memory.dmp

Filesize
64KB

Download
memory/1524-149-0x000002A748B80000-0x000002A748B90000-memory.dmp

Filesize
64KB

Download
memory/1524-150-0x000002A74B260000-0x000002A74B264000-memory.dmp

Filesize
16KB

Download
memory/2368-141-0x00007FF73D0D0000-0x00007FF73D9E9000-memory.dmp

Filesize
9.1MB

Download
memory/2368-142-0x00007FF73D0D0000-0x00007FF73D9E9000-memory.dmp

Filesize
9.1MB

Download
memory/2368-143-0x00007FF73D0D0000-0x00007FF73D9E9000-memory.dmp

Filesize
9.1MB

Download
memory/4716-136-0x00007FF7CF7C0000-0x00007FF7D00D9000-memory.dmp

Filesize
9.1MB

Download
memory/4716-135-0x00007FF7CF7C0000-0x00007FF7D00D9000-memory.dmp

Filesize
9.1MB

Download
memory/4716-137-0x00007FFEA21F0000-0x00007FFEA21F2000-memory.dmp

Filesize
8KB

Download
memory/4716-138-0x00007FF7CF7C0000-0x00007FF7D00D9000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads