26a30811833fd93ecb266b4e2287e9b30cb99aff38e5109398462946fced4ab0

Analysis

max time kernel
101s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22-08-2022 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOCALES/PROTONVP.exe
Size

26.9MB
MD5

e751f97a3d99007fd4f3bade78df78a1
SHA1

ec8be5c865e959b8675667a689851c2683e5c8d0
SHA256

b6db90130e99b34b6b28cd48c244b5c897baaa6f5cb200f83feb74d32614a3e3
SHA512

209ddb2fcd2ac2109ac517cf2608580286c7aa07ba876611caace0a057608112299468b7c1ff7b29ddbcfeabb7f037fed2cb64b622fe4fe925ef512d9725a5bd

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

Processes:

PROTONVP.exeMsiExec.exe

pid process

1644 PROTONVP.exe
1644 PROTONVP.exe
956 MsiExec.exe
956 MsiExec.exe

pid	process
1644	PROTONVP.exe
1644	PROTONVP.exe
956	MsiExec.exe
956	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

PROTONVP.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	PROTONVP.exe
File opened (read-only)	\??\I:	PROTONVP.exe
File opened (read-only)	\??\K:	PROTONVP.exe
File opened (read-only)	\??\M:	PROTONVP.exe
File opened (read-only)	\??\N:	PROTONVP.exe
File opened (read-only)	\??\Q:	PROTONVP.exe
File opened (read-only)	\??\R:	PROTONVP.exe
File opened (read-only)	\??\A:	PROTONVP.exe
File opened (read-only)	\??\Z:	PROTONVP.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	PROTONVP.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	PROTONVP.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	PROTONVP.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	PROTONVP.exe
File opened (read-only)	\??\P:	PROTONVP.exe
File opened (read-only)	\??\U:	PROTONVP.exe
File opened (read-only)	\??\X:	PROTONVP.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	PROTONVP.exe
File opened (read-only)	\??\J:	PROTONVP.exe
File opened (read-only)	\??\L:	PROTONVP.exe
File opened (read-only)	\??\O:	PROTONVP.exe
File opened (read-only)	\??\W:	PROTONVP.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	PROTONVP.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	PROTONVP.exe
File opened (read-only)	\??\V:	PROTONVP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MsiExec.exe

pid process

956 MsiExec.exe

pid	process
956	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exePROTONVP.exe

description	pid	process
Token: SeRestorePrivilege	756	msiexec.exe
Token: SeTakeOwnershipPrivilege	756	msiexec.exe
Token: SeSecurityPrivilege	756	msiexec.exe
Token: SeCreateTokenPrivilege	1644	PROTONVP.exe
Token: SeAssignPrimaryTokenPrivilege	1644	PROTONVP.exe
Token: SeLockMemoryPrivilege	1644	PROTONVP.exe
Token: SeIncreaseQuotaPrivilege	1644	PROTONVP.exe
Token: SeMachineAccountPrivilege	1644	PROTONVP.exe
Token: SeTcbPrivilege	1644	PROTONVP.exe
Token: SeSecurityPrivilege	1644	PROTONVP.exe
Token: SeTakeOwnershipPrivilege	1644	PROTONVP.exe
Token: SeLoadDriverPrivilege	1644	PROTONVP.exe
Token: SeSystemProfilePrivilege	1644	PROTONVP.exe
Token: SeSystemtimePrivilege	1644	PROTONVP.exe
Token: SeProfSingleProcessPrivilege	1644	PROTONVP.exe
Token: SeIncBasePriorityPrivilege	1644	PROTONVP.exe
Token: SeCreatePagefilePrivilege	1644	PROTONVP.exe
Token: SeCreatePermanentPrivilege	1644	PROTONVP.exe
Token: SeBackupPrivilege	1644	PROTONVP.exe
Token: SeRestorePrivilege	1644	PROTONVP.exe
Token: SeShutdownPrivilege	1644	PROTONVP.exe
Token: SeDebugPrivilege	1644	PROTONVP.exe
Token: SeAuditPrivilege	1644	PROTONVP.exe
Token: SeSystemEnvironmentPrivilege	1644	PROTONVP.exe
Token: SeChangeNotifyPrivilege	1644	PROTONVP.exe
Token: SeRemoteShutdownPrivilege	1644	PROTONVP.exe
Token: SeUndockPrivilege	1644	PROTONVP.exe
Token: SeSyncAgentPrivilege	1644	PROTONVP.exe
Token: SeEnableDelegationPrivilege	1644	PROTONVP.exe
Token: SeManageVolumePrivilege	1644	PROTONVP.exe
Token: SeImpersonatePrivilege	1644	PROTONVP.exe
Token: SeCreateGlobalPrivilege	1644	PROTONVP.exe
Token: SeCreateTokenPrivilege	1644	PROTONVP.exe
Token: SeAssignPrimaryTokenPrivilege	1644	PROTONVP.exe
Token: SeLockMemoryPrivilege	1644	PROTONVP.exe
Token: SeIncreaseQuotaPrivilege	1644	PROTONVP.exe
Token: SeMachineAccountPrivilege	1644	PROTONVP.exe
Token: SeTcbPrivilege	1644	PROTONVP.exe
Token: SeSecurityPrivilege	1644	PROTONVP.exe
Token: SeTakeOwnershipPrivilege	1644	PROTONVP.exe
Token: SeLoadDriverPrivilege	1644	PROTONVP.exe
Token: SeSystemProfilePrivilege	1644	PROTONVP.exe
Token: SeSystemtimePrivilege	1644	PROTONVP.exe
Token: SeProfSingleProcessPrivilege	1644	PROTONVP.exe
Token: SeIncBasePriorityPrivilege	1644	PROTONVP.exe
Token: SeCreatePagefilePrivilege	1644	PROTONVP.exe
Token: SeCreatePermanentPrivilege	1644	PROTONVP.exe
Token: SeBackupPrivilege	1644	PROTONVP.exe
Token: SeRestorePrivilege	1644	PROTONVP.exe
Token: SeShutdownPrivilege	1644	PROTONVP.exe
Token: SeDebugPrivilege	1644	PROTONVP.exe
Token: SeAuditPrivilege	1644	PROTONVP.exe
Token: SeSystemEnvironmentPrivilege	1644	PROTONVP.exe
Token: SeChangeNotifyPrivilege	1644	PROTONVP.exe
Token: SeRemoteShutdownPrivilege	1644	PROTONVP.exe
Token: SeUndockPrivilege	1644	PROTONVP.exe
Token: SeSyncAgentPrivilege	1644	PROTONVP.exe
Token: SeEnableDelegationPrivilege	1644	PROTONVP.exe
Token: SeManageVolumePrivilege	1644	PROTONVP.exe
Token: SeImpersonatePrivilege	1644	PROTONVP.exe
Token: SeCreateGlobalPrivilege	1644	PROTONVP.exe
Token: SeCreateTokenPrivilege	1644	PROTONVP.exe
Token: SeAssignPrimaryTokenPrivilege	1644	PROTONVP.exe
Token: SeLockMemoryPrivilege	1644	PROTONVP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

PROTONVP.exe

pid process

1644 PROTONVP.exe

pid	process
1644	PROTONVP.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

msiexec.exePROTONVP.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 756 wrote to memory of 956	756	msiexec.exe	MsiExec.exe
PID 756 wrote to memory of 956	756	msiexec.exe	MsiExec.exe
PID 756 wrote to memory of 956	756	msiexec.exe	MsiExec.exe
PID 756 wrote to memory of 956	756	msiexec.exe	MsiExec.exe
PID 756 wrote to memory of 956	756	msiexec.exe	MsiExec.exe
PID 756 wrote to memory of 956	756	msiexec.exe	MsiExec.exe
PID 756 wrote to memory of 956	756	msiexec.exe	MsiExec.exe
PID 1644 wrote to memory of 332	1644	PROTONVP.exe	cmd.exe
PID 1644 wrote to memory of 332	1644	PROTONVP.exe	cmd.exe
PID 1644 wrote to memory of 332	1644	PROTONVP.exe	cmd.exe
PID 1644 wrote to memory of 332	1644	PROTONVP.exe	cmd.exe
PID 332 wrote to memory of 1760	332	cmd.exe	WMIC.exe
PID 332 wrote to memory of 1760	332	cmd.exe	WMIC.exe
PID 332 wrote to memory of 1760	332	cmd.exe	WMIC.exe
PID 332 wrote to memory of 1760	332	cmd.exe	WMIC.exe
PID 332 wrote to memory of 768	332	cmd.exe	findstr.exe
PID 332 wrote to memory of 768	332	cmd.exe	findstr.exe
PID 332 wrote to memory of 768	332	cmd.exe	findstr.exe
PID 332 wrote to memory of 768	332	cmd.exe	findstr.exe
PID 1644 wrote to memory of 436	1644	PROTONVP.exe	cmd.exe
PID 1644 wrote to memory of 436	1644	PROTONVP.exe	cmd.exe
PID 1644 wrote to memory of 436	1644	PROTONVP.exe	cmd.exe
PID 1644 wrote to memory of 436	1644	PROTONVP.exe	cmd.exe
PID 436 wrote to memory of 1988	436	cmd.exe	WMIC.exe
PID 436 wrote to memory of 1988	436	cmd.exe	WMIC.exe
PID 436 wrote to memory of 1988	436	cmd.exe	WMIC.exe
PID 436 wrote to memory of 1988	436	cmd.exe	WMIC.exe
PID 436 wrote to memory of 1940	436	cmd.exe	findstr.exe
PID 436 wrote to memory of 1940	436	cmd.exe	findstr.exe
PID 436 wrote to memory of 1940	436	cmd.exe	findstr.exe
PID 436 wrote to memory of 1940	436	cmd.exe	findstr.exe
PID 1644 wrote to memory of 2044	1644	PROTONVP.exe	cmd.exe
PID 1644 wrote to memory of 2044	1644	PROTONVP.exe	cmd.exe
PID 1644 wrote to memory of 2044	1644	PROTONVP.exe	cmd.exe
PID 1644 wrote to memory of 2044	1644	PROTONVP.exe	cmd.exe
PID 2044 wrote to memory of 1592	2044	cmd.exe	WMIC.exe
PID 2044 wrote to memory of 1592	2044	cmd.exe	WMIC.exe
PID 2044 wrote to memory of 1592	2044	cmd.exe	WMIC.exe
PID 2044 wrote to memory of 1592	2044	cmd.exe	WMIC.exe
PID 2044 wrote to memory of 1596	2044	cmd.exe	findstr.exe
PID 2044 wrote to memory of 1596	2044	cmd.exe	findstr.exe
PID 2044 wrote to memory of 1596	2044	cmd.exe	findstr.exe
PID 2044 wrote to memory of 1596	2044	cmd.exe	findstr.exe
PID 1644 wrote to memory of 1656	1644	PROTONVP.exe	cmd.exe
PID 1644 wrote to memory of 1656	1644	PROTONVP.exe	cmd.exe
PID 1644 wrote to memory of 1656	1644	PROTONVP.exe	cmd.exe
PID 1644 wrote to memory of 1656	1644	PROTONVP.exe	cmd.exe
PID 1656 wrote to memory of 864	1656	cmd.exe	WMIC.exe
PID 1656 wrote to memory of 864	1656	cmd.exe	WMIC.exe
PID 1656 wrote to memory of 864	1656	cmd.exe	WMIC.exe
PID 1656 wrote to memory of 864	1656	cmd.exe	WMIC.exe
PID 1656 wrote to memory of 1324	1656	cmd.exe	findstr.exe
PID 1656 wrote to memory of 1324	1656	cmd.exe	findstr.exe
PID 1656 wrote to memory of 1324	1656	cmd.exe	findstr.exe
PID 1656 wrote to memory of 1324	1656	cmd.exe	findstr.exe

C:\Users\Admin\AppData\Local\Temp\LOCALES\PROTONVP.exe
"C:\Users\Admin\AppData\Local\Temp\LOCALES\PROTONVP.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\{78E8B570-4551-416B-8F87-6917E1EBBAF9}\check-KB2992611.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic qfe get hotfixid
3⤵
PID:1760

C:\Windows\SysWOW64\findstr.exe
FindStr "KB2992611"
3⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\{78E8B570-4551-416B-8F87-6917E1EBBAF9}\check-KB3033929.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic qfe get hotfixid
3⤵
PID:1988

C:\Windows\SysWOW64\findstr.exe
FindStr "KB3033929 KB4019264 KB4022719 KB4025341 KB4034664 KB4038777 KB4041681 KB4343900 KB4457144 KB4462923 KB4467107 KB4471318 KB4480970 KB4486563 KB4489878 KB4474419 KB4493472 KB4499164 KB4499175 KB4503292 KB4503269 KB4507449 KB4507456 KB4512506 KB4516065 KB4519976 KB4524157 KB4015549 KB3197868 KB3185330"
3⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\{78E8B570-4551-416B-8F87-6917E1EBBAF9}\check-KB3063858.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic qfe get hotfixid
3⤵
PID:1592

C:\Windows\SysWOW64\findstr.exe
FindStr "KB3063858 KB2533623 KB4457144 KB3126587 KB3126593 KB3146706 KB4014793"
3⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\{78E8B570-4551-416B-8F87-6917E1EBBAF9}\check-KB2921916.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic qfe get hotfixid
3⤵
PID:864

C:\Windows\SysWOW64\findstr.exe
FindStr "KB2921916"
3⤵
PID:1324

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F127F84353C2864696474929AA63DD29 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:956

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI347F.tmp
Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID292.tmp
Filesize
912KB

MD5
b15dbf4b35cd1460ba283795e24878c8

SHA1
327812be4bfdce7a87cb00fab432ecc0d8c38c1e

SHA256
0ac07db6140408e9586d46727eb32af8f8048cad535eca9052b6ef1149e63147

SHA512
95edc60c9658e0e8631604459969a406414902f297b7a14f2be6d3bc18878636167d202530d4ee3b4d7af189a9139a2183929250920196c48c08eda3d6dfdca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{78E8B570-4551-416B-8F87-6917E1EBBAF9}\check-KB2921916.bat
Filesize
138B

MD5
7201a54b363705c2be8dd58aca8b1376

SHA1
fb8528da7d5b54c3c42aec8db75218ad00005ec0

SHA256
1c7abbfee3e941c6e042fee20ff84582bc8d0a8424606a0e7e7ff74e81b3561f

SHA512
436095290c2de26184ad75e999cf399c22e1c6923d733bb37cf552591ab539052f1343314b37fe719a219766c1b9ecd7165bd6b88efc1c0fba9a4a5267beefff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{78E8B570-4551-416B-8F87-6917E1EBBAF9}\check-KB2992611.bat
Filesize
138B

MD5
c0b9a9e270106987f3fe23676159a6ab

SHA1
051c692fcaf8d0b7e98db8bce31eccc9bbec27b9

SHA256
afd7d5bc31c774a85e833872c57b1d00eda31dc42fef6973efe81a8888036748

SHA512
0492a02850c268ae8103583f038fc98c969537fccb47c56f083e30d1c8301a8617d40b93841d1442d5d361cc06da8ed955b0cb6dfe733d6b4fafdda8b4159281

Download Submit
C:\Users\Admin\AppData\Local\Temp\{78E8B570-4551-416B-8F87-6917E1EBBAF9}\check-KB3033929.bat
Filesize
428B

MD5
7893b5b760e59d9ced1c5166ffbcc5c4

SHA1
b6a6855e7d5fe1dbd31f8e07ebf3c630fc7400e6

SHA256
5116abaa632d180c1615bad2b026432c5a6577054cea5c8d7a636bcab04c0ab3

SHA512
889c0fef067f2e5f06132670284a1882f20311b9eaac5dc9b08919a4f69aa4c64ab0edc2f96e9f43e35696b71d7001cba8af57654ab851de5b6192619ae8a5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{78E8B570-4551-416B-8F87-6917E1EBBAF9}\check-KB3063858.bat
Filesize
198B

MD5
3fbc0ae551a37e2c10fa4f06c1a5c6d8

SHA1
1b525225150c355f0ed62a55e094b062740043f0

SHA256
ab642527c2f7d96a34442f9004990d7229d850a913b22e540168976371122e85

SHA512
db0514c24ba52e6b02982caf13891c0d3d9683236d60198866d608bd60e7daef03aac9879cf3dcdf984cd80a521a4ea4fe7eafef24892da86b5772a40694a3b5

Download Submit
\Users\Admin\AppData\Local\Temp\MSI347F.tmp
Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
\Users\Admin\AppData\Local\Temp\MSID292.tmp
Filesize
912KB

MD5
b15dbf4b35cd1460ba283795e24878c8

SHA1
327812be4bfdce7a87cb00fab432ecc0d8c38c1e

SHA256
0ac07db6140408e9586d46727eb32af8f8048cad535eca9052b6ef1149e63147

SHA512
95edc60c9658e0e8631604459969a406414902f297b7a14f2be6d3bc18878636167d202530d4ee3b4d7af189a9139a2183929250920196c48c08eda3d6dfdca4

Download Submit
\Users\Admin\AppData\Local\Temp\{78E8B570-4551-416B-8F87-6917E1EBBAF9}\decoder.dll
Filesize
206KB

MD5
899944fb96ccc34cfbd2ccb9134367c5

SHA1
7c46aa3f84ba5da95ceff39cd49185672f963538

SHA256
780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259

SHA512
2c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0

Download Submit
\Users\Admin\AppData\Local\Temp\{78E8B570-4551-416B-8F87-6917E1EBBAF9}\decoder.dll
Filesize
206KB

MD5
899944fb96ccc34cfbd2ccb9134367c5

SHA1
7c46aa3f84ba5da95ceff39cd49185672f963538

SHA256
780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259

SHA512
2c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0

Download Submit
memory/332-65-0x0000000000000000-mapping.dmp

Download
memory/436-69-0x0000000000000000-mapping.dmp

Download
memory/756-58-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/768-68-0x0000000000000000-mapping.dmp

Download
memory/864-79-0x0000000000000000-mapping.dmp

Download
memory/956-59-0x0000000000000000-mapping.dmp

Download
memory/1324-80-0x0000000000000000-mapping.dmp

Download
memory/1592-75-0x0000000000000000-mapping.dmp

Download
memory/1596-76-0x0000000000000000-mapping.dmp

Download
memory/1644-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1644-55-0x0000000073F71000-0x0000000073F73000-memory.dmp

Filesize
8KB

Download
memory/1656-77-0x0000000000000000-mapping.dmp

Download
memory/1760-67-0x0000000000000000-mapping.dmp

Download
memory/1940-72-0x0000000000000000-mapping.dmp

Download
memory/1988-71-0x0000000000000000-mapping.dmp

Download
memory/2044-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads