wannacry | 7e6d06f5424093737b32866e419b18a9c9e9493311def0e9b2c8e4158ced4f8d

General

Target

b986859e09e5eda5c996a7368d75cd63.exe
Size

3.6MB
MD5

b986859e09e5eda5c996a7368d75cd63
SHA1

2c62d02457e5d1ff5e0652047b77d5518b02f1d9
SHA256

7e6d06f5424093737b32866e419b18a9c9e9493311def0e9b2c8e4158ced4f8d
SHA512

3c7b5acb380f5c9aed9046f34acb39e74c5625e047b34ab26262525a53eb44e6a701aaefe5d541f2dd13130f6b801b48271225ccb599b742257f637267f4e9d1
SSDEEP

98304:a9PoBhz1aRxcSUDk36SAEdhvw3R8yAVp2H:a9Pe1Cxcxk3ZAEGR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (885) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Drops file in System32 directory 1 IoCs

Processes:

b986859e09e5eda5c996a7368d75cd63.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	b986859e09e5eda5c996a7368d75cd63.exe

Drops file in Windows directory 1 IoCs

Processes:

b986859e09e5eda5c996a7368d75cd63.exe

description ioc process

File created C:\WINDOWS\tasksche.exe b986859e09e5eda5c996a7368d75cd63.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	b986859e09e5eda5c996a7368d75cd63.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

b986859e09e5eda5c996a7368d75cd63.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\WpadDecisionTime = f09db68acab8d801	b986859e09e5eda5c996a7368d75cd63.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\WpadNetworkName = "Network 3"	b986859e09e5eda5c996a7368d75cd63.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-b1-ff-15-a0-08	b986859e09e5eda5c996a7368d75cd63.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	b986859e09e5eda5c996a7368d75cd63.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	b986859e09e5eda5c996a7368d75cd63.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\WpadDecisionReason = "1"	b986859e09e5eda5c996a7368d75cd63.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	b986859e09e5eda5c996a7368d75cd63.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	b986859e09e5eda5c996a7368d75cd63.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\3a-b1-ff-15-a0-08	b986859e09e5eda5c996a7368d75cd63.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	b986859e09e5eda5c996a7368d75cd63.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	b986859e09e5eda5c996a7368d75cd63.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	b986859e09e5eda5c996a7368d75cd63.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\WpadDecision = "0"	b986859e09e5eda5c996a7368d75cd63.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-b1-ff-15-a0-08\WpadDecisionTime = f09db68acab8d801	b986859e09e5eda5c996a7368d75cd63.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-b1-ff-15-a0-08\WpadDecision = "0"	b986859e09e5eda5c996a7368d75cd63.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	b986859e09e5eda5c996a7368d75cd63.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	b986859e09e5eda5c996a7368d75cd63.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	b986859e09e5eda5c996a7368d75cd63.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0091000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	b986859e09e5eda5c996a7368d75cd63.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}	b986859e09e5eda5c996a7368d75cd63.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-b1-ff-15-a0-08\WpadDecisionReason = "1"	b986859e09e5eda5c996a7368d75cd63.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	b986859e09e5eda5c996a7368d75cd63.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	b986859e09e5eda5c996a7368d75cd63.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	b986859e09e5eda5c996a7368d75cd63.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b986859e09e5eda5c996a7368d75cd63.exeb986859e09e5eda5c996a7368d75cd63.exe

pid process

1652 b986859e09e5eda5c996a7368d75cd63.exe
1120 b986859e09e5eda5c996a7368d75cd63.exe

Suspicious behavior: MapViewOfSection 44 IoCs

Processes:

b986859e09e5eda5c996a7368d75cd63.exeb986859e09e5eda5c996a7368d75cd63.exe

pid	process
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1652	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe
1120	b986859e09e5eda5c996a7368d75cd63.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b986859e09e5eda5c996a7368d75cd63.exeb986859e09e5eda5c996a7368d75cd63.exe

description pid process

Token: SeDebugPrivilege 1652 b986859e09e5eda5c996a7368d75cd63.exe
Token: SeDebugPrivilege 1120 b986859e09e5eda5c996a7368d75cd63.exe

description	pid	process
Token: SeDebugPrivilege	1652	b986859e09e5eda5c996a7368d75cd63.exe
Token: SeDebugPrivilege	1120	b986859e09e5eda5c996a7368d75cd63.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b986859e09e5eda5c996a7368d75cd63.exe

description	pid	process	target process
PID 1652 wrote to memory of 372	1652	b986859e09e5eda5c996a7368d75cd63.exe	wininit.exe
PID 1652 wrote to memory of 372	1652	b986859e09e5eda5c996a7368d75cd63.exe	wininit.exe
PID 1652 wrote to memory of 372	1652	b986859e09e5eda5c996a7368d75cd63.exe	wininit.exe
PID 1652 wrote to memory of 372	1652	b986859e09e5eda5c996a7368d75cd63.exe	wininit.exe
PID 1652 wrote to memory of 372	1652	b986859e09e5eda5c996a7368d75cd63.exe	wininit.exe
PID 1652 wrote to memory of 372	1652	b986859e09e5eda5c996a7368d75cd63.exe	wininit.exe
PID 1652 wrote to memory of 384	1652	b986859e09e5eda5c996a7368d75cd63.exe	csrss.exe
PID 1652 wrote to memory of 384	1652	b986859e09e5eda5c996a7368d75cd63.exe	csrss.exe
PID 1652 wrote to memory of 384	1652	b986859e09e5eda5c996a7368d75cd63.exe	csrss.exe
PID 1652 wrote to memory of 384	1652	b986859e09e5eda5c996a7368d75cd63.exe	csrss.exe
PID 1652 wrote to memory of 384	1652	b986859e09e5eda5c996a7368d75cd63.exe	csrss.exe
PID 1652 wrote to memory of 384	1652	b986859e09e5eda5c996a7368d75cd63.exe	csrss.exe
PID 1652 wrote to memory of 420	1652	b986859e09e5eda5c996a7368d75cd63.exe	winlogon.exe
PID 1652 wrote to memory of 420	1652	b986859e09e5eda5c996a7368d75cd63.exe	winlogon.exe
PID 1652 wrote to memory of 420	1652	b986859e09e5eda5c996a7368d75cd63.exe	winlogon.exe
PID 1652 wrote to memory of 420	1652	b986859e09e5eda5c996a7368d75cd63.exe	winlogon.exe
PID 1652 wrote to memory of 420	1652	b986859e09e5eda5c996a7368d75cd63.exe	winlogon.exe
PID 1652 wrote to memory of 420	1652	b986859e09e5eda5c996a7368d75cd63.exe	winlogon.exe
PID 1652 wrote to memory of 464	1652	b986859e09e5eda5c996a7368d75cd63.exe	services.exe
PID 1652 wrote to memory of 464	1652	b986859e09e5eda5c996a7368d75cd63.exe	services.exe
PID 1652 wrote to memory of 464	1652	b986859e09e5eda5c996a7368d75cd63.exe	services.exe
PID 1652 wrote to memory of 464	1652	b986859e09e5eda5c996a7368d75cd63.exe	services.exe
PID 1652 wrote to memory of 464	1652	b986859e09e5eda5c996a7368d75cd63.exe	services.exe
PID 1652 wrote to memory of 464	1652	b986859e09e5eda5c996a7368d75cd63.exe	services.exe
PID 1652 wrote to memory of 480	1652	b986859e09e5eda5c996a7368d75cd63.exe	lsass.exe
PID 1652 wrote to memory of 480	1652	b986859e09e5eda5c996a7368d75cd63.exe	lsass.exe
PID 1652 wrote to memory of 480	1652	b986859e09e5eda5c996a7368d75cd63.exe	lsass.exe
PID 1652 wrote to memory of 480	1652	b986859e09e5eda5c996a7368d75cd63.exe	lsass.exe
PID 1652 wrote to memory of 480	1652	b986859e09e5eda5c996a7368d75cd63.exe	lsass.exe
PID 1652 wrote to memory of 480	1652	b986859e09e5eda5c996a7368d75cd63.exe	lsass.exe
PID 1652 wrote to memory of 488	1652	b986859e09e5eda5c996a7368d75cd63.exe	lsm.exe
PID 1652 wrote to memory of 488	1652	b986859e09e5eda5c996a7368d75cd63.exe	lsm.exe
PID 1652 wrote to memory of 488	1652	b986859e09e5eda5c996a7368d75cd63.exe	lsm.exe
PID 1652 wrote to memory of 488	1652	b986859e09e5eda5c996a7368d75cd63.exe	lsm.exe
PID 1652 wrote to memory of 488	1652	b986859e09e5eda5c996a7368d75cd63.exe	lsm.exe
PID 1652 wrote to memory of 488	1652	b986859e09e5eda5c996a7368d75cd63.exe	lsm.exe
PID 1652 wrote to memory of 580	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 580	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 580	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 580	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 580	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 580	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 660	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 660	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 660	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 660	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 660	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 660	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 736	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 736	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 736	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 736	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 736	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 736	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 792	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 792	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 792	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 792	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 792	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 792	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 832	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 832	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 832	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe
PID 1652 wrote to memory of 832	1652	b986859e09e5eda5c996a7368d75cd63.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1808

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\b986859e09e5eda5c996a7368d75cd63.exe
"C:\Users\Admin\AppData\Local\Temp\b986859e09e5eda5c996a7368d75cd63.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1388

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1028

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:936

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\b986859e09e5eda5c996a7368d75cd63.exe
C:\Users\Admin\AppData\Local\Temp\b986859e09e5eda5c996a7368d75cd63.exe -m security
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-57-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/1652-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1652-55-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/1652-58-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/1652-59-0x000000007EF80000-0x000000007EF89000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads