chaos | f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974

General

Target

f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974.exe
Size

724KB
MD5

b2c4924ab02e0bf64720762b77227ea5
SHA1

501e15b75ffe156656fd6aee47a02dc7fc574e48
SHA256

f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974
SHA512

294cf4cfbe4a8a48be0d79f13ee1bf3e6ad0e5e6d0ed87e23399b81b912ed3f30fa79fc5d1b06731041a9d8d2a8a696abee96dc367cf2f15e70a0763df897f51

Score

10^/10

chaos vjw0rm persistence ransomware trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://ffy643dfxvtesdyekyg.ddns.net:7070

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\LocaltLAuZAlfWa.exe	family_chaos
C:\Users\Admin\AppData\LocaltLAuZAlfWa.exe	family_chaos
behavioral1/memory/368-59-0x00000000003E0000-0x000000000046E000-memory.dmp	family_chaos

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 14 IoCs

Processes:

WScript.exeWScript.exeWScript.exe

flow	pid	process
8	556	WScript.exe
9	556	WScript.exe
10	556	WScript.exe
12	664	WScript.exe
13	556	WScript.exe
15	2036	WScript.exe
16	556	WScript.exe
17	556	WScript.exe
18	556	WScript.exe
20	556	WScript.exe
22	556	WScript.exe
23	556	WScript.exe
25	556	WScript.exe
26	556	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

LocalFRBkkmBVVX.exeLocaltLAuZAlfWa.exe

pid process

320 LocalFRBkkmBVVX.exe
368 LocaltLAuZAlfWa.exe

pid	process
320	LocalFRBkkmBVVX.exe
368	LocaltLAuZAlfWa.exe

Drops startup file 8 IoCs

Processes:

WScript.exeWScript.exeLocalFRBkkmBVVX.exeWScript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp518B.tmp.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp518B.tmp.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windowsconsole.lnk	LocalFRBkkmBVVX.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windowsconsole.exe	LocalFRBkkmBVVX.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windowsconsole.exe	LocalFRBkkmBVVX.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp59C.tmp.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp59C.tmp.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp518B.tmp.vbs	WScript.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeLocalFRBkkmBVVX.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windowsconsole2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windowsconsole.URL"	LocalFRBkkmBVVX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windowsconsole = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windowsconsole.URL"	LocalFRBkkmBVVX.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tmp59C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp59C.tmp.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\FMS2OAD1ED = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp518B.tmp.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windowsconsole2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windowsconsole.URL"	LocalFRBkkmBVVX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windowsconsole = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windowsconsole.URL"	LocalFRBkkmBVVX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmp59C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp59C.tmp.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\FMS2OAD1ED = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp518B.tmp.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LocalFRBkkmBVVX.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LocalFRBkkmBVVX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	LocalFRBkkmBVVX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	LocalFRBkkmBVVX.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1680 schtasks.exe
456 schtasks.exe

pid	process
1680	schtasks.exe
456	schtasks.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

LocalFRBkkmBVVX.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	LocalFRBkkmBVVX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	LocalFRBkkmBVVX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	LocalFRBkkmBVVX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	LocalFRBkkmBVVX.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	LocalFRBkkmBVVX.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

LocaltLAuZAlfWa.exe

pid process

368 LocaltLAuZAlfWa.exe
368 LocaltLAuZAlfWa.exe
368 LocaltLAuZAlfWa.exe

pid	process
368	LocaltLAuZAlfWa.exe
368	LocaltLAuZAlfWa.exe
368	LocaltLAuZAlfWa.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

LocalFRBkkmBVVX.exeLocaltLAuZAlfWa.exe

description	pid	process
Token: SeDebugPrivilege	320	LocalFRBkkmBVVX.exe
Token: SeDebugPrivilege	368	LocaltLAuZAlfWa.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe
Token: 33	320	LocalFRBkkmBVVX.exe
Token: SeIncBasePriorityPrivilege	320	LocalFRBkkmBVVX.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974.exeLocalFRBkkmBVVX.exeWScript.exetaskeng.exeWScript.exe

description	pid	process	target process
PID 1308 wrote to memory of 320	1308	f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974.exe	LocalFRBkkmBVVX.exe
PID 1308 wrote to memory of 320	1308	f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974.exe	LocalFRBkkmBVVX.exe
PID 1308 wrote to memory of 320	1308	f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974.exe	LocalFRBkkmBVVX.exe
PID 1308 wrote to memory of 320	1308	f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974.exe	LocalFRBkkmBVVX.exe
PID 1308 wrote to memory of 368	1308	f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974.exe	LocaltLAuZAlfWa.exe
PID 1308 wrote to memory of 368	1308	f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974.exe	LocaltLAuZAlfWa.exe
PID 1308 wrote to memory of 368	1308	f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974.exe	LocaltLAuZAlfWa.exe
PID 320 wrote to memory of 556	320	LocalFRBkkmBVVX.exe	WScript.exe
PID 320 wrote to memory of 556	320	LocalFRBkkmBVVX.exe	WScript.exe
PID 320 wrote to memory of 556	320	LocalFRBkkmBVVX.exe	WScript.exe
PID 320 wrote to memory of 556	320	LocalFRBkkmBVVX.exe	WScript.exe
PID 320 wrote to memory of 664	320	LocalFRBkkmBVVX.exe	WScript.exe
PID 320 wrote to memory of 664	320	LocalFRBkkmBVVX.exe	WScript.exe
PID 320 wrote to memory of 664	320	LocalFRBkkmBVVX.exe	WScript.exe
PID 320 wrote to memory of 664	320	LocalFRBkkmBVVX.exe	WScript.exe
PID 664 wrote to memory of 1680	664	WScript.exe	schtasks.exe
PID 664 wrote to memory of 1680	664	WScript.exe	schtasks.exe
PID 664 wrote to memory of 1680	664	WScript.exe	schtasks.exe
PID 664 wrote to memory of 1680	664	WScript.exe	schtasks.exe
PID 1712 wrote to memory of 2036	1712	taskeng.exe	WScript.exe
PID 1712 wrote to memory of 2036	1712	taskeng.exe	WScript.exe
PID 1712 wrote to memory of 2036	1712	taskeng.exe	WScript.exe
PID 2036 wrote to memory of 456	2036	WScript.exe	schtasks.exe
PID 2036 wrote to memory of 456	2036	WScript.exe	schtasks.exe
PID 2036 wrote to memory of 456	2036	WScript.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974.exe
"C:\Users\Admin\AppData\Local\Temp\f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\LocalFRBkkmBVVX.exe
"C:\Users\Admin\AppData\LocalFRBkkmBVVX.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp59C.tmp.vbs"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:556

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp518B.tmp.vbs"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\tmp518B.tmp.vbs
4⤵
- Creates scheduled task(s)
PID:1680

C:\Users\Admin\AppData\LocaltLAuZAlfWa.exe
"C:\Users\Admin\AppData\LocaltLAuZAlfWa.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\system32\taskeng.exe
taskeng.exe {2773FC98-FD83-4E68-8C62-11611A826556} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\tmp518B.tmp.vbs"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\tmp518B.tmp.vbs
3⤵
- Creates scheduled task(s)
PID:456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalFRBkkmBVVX.exe
MD5
6e3e5592c19a38b11833665b970cdef4

SHA1
30bb9a51ac309c14198fe89aa0f9d15d5e61093c

SHA256
3cb96db4bd5581bf18a61a0f574222cec2c15e7925bbf57f6509579652cbff86

SHA512
07c211fa41ef1c107e44154268d299fb5aee35f322f3a50d3d28ab4c19e3287a45b0e50e316beec82a16b89fe60a6bc4f7b46f908130bb7a9691dc00f776e8ea

Download Submit
C:\Users\Admin\AppData\LocalFRBkkmBVVX.exe
MD5
6e3e5592c19a38b11833665b970cdef4

SHA1
30bb9a51ac309c14198fe89aa0f9d15d5e61093c

SHA256
3cb96db4bd5581bf18a61a0f574222cec2c15e7925bbf57f6509579652cbff86

SHA512
07c211fa41ef1c107e44154268d299fb5aee35f322f3a50d3d28ab4c19e3287a45b0e50e316beec82a16b89fe60a6bc4f7b46f908130bb7a9691dc00f776e8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp518B.tmp.vbs
MD5
620deeb7980c7959857a4bcaa345eeed

SHA1
bafbcaad69a9daaef2042d9df9954710e5b8dc27

SHA256
ef792fba50c517fb98f6f7a8cf0207f7adbf040dee71447e938b5836828540f7

SHA512
568a1d6a20a6ee0788bff50c9b5f262d6d021f4b769caffac3927486e0ca25f82326865eb1bdf452be666f49da6e260aea0ec5f88ae433ae42e4216fc7d0ab4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp59C.tmp.vbs
MD5
61cab73c2ee5c213c389c16d5091ab1d

SHA1
4dc69dedb4408a554e22a2916fbe92ef245cafc0

SHA256
95c97ee87f68dd942fe80ff50467e5784f7418a8631711bde8afbf936b44d621

SHA512
3527c9a0ba5d6f0e9643e7ff196bfb0055dd39753842823127ea359390e0dcb39c2ba97285df46a7d334f72c0b7959d5fddcdec9df370eebae2ca8f37e6700f0

Download Submit
C:\Users\Admin\AppData\LocaltLAuZAlfWa.exe
MD5
8b855e56e41a6e10d28522a20c1e0341

SHA1
17ea75272cfe3749c6727388fd444d2c970f9d01

SHA256
f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

SHA512
eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

Download Submit
C:\Users\Admin\AppData\LocaltLAuZAlfWa.exe
MD5
8b855e56e41a6e10d28522a20c1e0341

SHA1
17ea75272cfe3749c6727388fd444d2c970f9d01

SHA256
f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

SHA512
eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp518B.tmp.vbs
MD5
620deeb7980c7959857a4bcaa345eeed

SHA1
bafbcaad69a9daaef2042d9df9954710e5b8dc27

SHA256
ef792fba50c517fb98f6f7a8cf0207f7adbf040dee71447e938b5836828540f7

SHA512
568a1d6a20a6ee0788bff50c9b5f262d6d021f4b769caffac3927486e0ca25f82326865eb1bdf452be666f49da6e260aea0ec5f88ae433ae42e4216fc7d0ab4b

Download Submit
memory/320-64-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/320-61-0x0000000074E01000-0x0000000074E02000-memory.dmp

Filesize
4KB

Download
memory/320-63-0x0000000074E02000-0x0000000074E04000-memory.dmp

Filesize
8KB

Download
memory/320-62-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/320-67-0x0000000000466000-0x0000000000467000-memory.dmp

Filesize
4KB

Download
memory/320-58-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/320-75-0x0000000000467000-0x0000000000468000-memory.dmp

Filesize
4KB

Download
memory/320-76-0x0000000000455000-0x0000000000466000-memory.dmp

Filesize
68KB

Download
memory/368-65-0x000000001AA70000-0x000000001AA72000-memory.dmp

Filesize
8KB

Download
memory/368-66-0x000000001AA76000-0x000000001AA95000-memory.dmp

Filesize
124KB

Download
memory/368-60-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/368-59-0x00000000003E0000-0x000000000046E000-memory.dmp

Filesize
568KB

Download
memory/1712-72-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads