c4685f11a53a74df878aaa7076ea7e0a64c4a9489ed83961b323b4694860f3ee

General

Target

c4685f11a53a74df878aaa7076ea7e0a64c4a9489ed83961b323b4694860f3ee.exe
Size

1.5MB
MD5

54639aa125db4aebe41299332989f3a0
SHA1

068acdc404596d7941cf3ab35b90c1fff813913e
SHA256

c4685f11a53a74df878aaa7076ea7e0a64c4a9489ed83961b323b4694860f3ee
SHA512

c2aa4788b72bbe70728396b6f61aa16bba91c2364580097ff829b1372fc12d2b7ea40340b797ce6a6ae00bb34094b317d05ca874871b5b52de5a366e85df1345
SSDEEP

24576:xTOp7CMa34abMhtTEGM91uMUodM/a0MdptbGAD5WdtBGRxsCYr0aG8:5R93EtIGM91uP2M/JpAD5W4xsCSbl

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Windows Loader.exebootsect.exe

pid process

1752 Windows Loader.exe
1804 bootsect.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1740 icacls.exe
1960 takeown.exe
976 icacls.exe
1704 takeown.exe

pid	process
1752	Windows Loader.exe
1804	bootsect.exe

pid	process
1740	icacls.exe
1960	takeown.exe
976	icacls.exe
1704	takeown.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Loader.exe	upx
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Loader.exe	upx
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Loader.exe	upx
behavioral1/memory/1752-123-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/1752-131-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/1752-156-0x0000000000400000-0x0000000000623000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Windows Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Windows Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Windows Loader.exe

Loads dropped DLL 1 IoCs

Processes:

c4685f11a53a74df878aaa7076ea7e0a64c4a9489ed83961b323b4694860f3ee.exe

pid process

1732 c4685f11a53a74df878aaa7076ea7e0a64c4a9489ed83961b323b4694860f3ee.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

976 icacls.exe
1704 takeown.exe
1740 icacls.exe
1960 takeown.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1732	c4685f11a53a74df878aaa7076ea7e0a64c4a9489ed83961b323b4694860f3ee.exe

pid	process
976	icacls.exe
1704	takeown.exe
1740	icacls.exe
1960	takeown.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Windows Loader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Windows Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Windows Loader.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Windows Loader.exe

pid process

1752 Windows Loader.exe

pid	process
1752	Windows Loader.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Windows Loader.exetakeown.exetakeown.exeshutdown.exeAUDIODG.EXE

description	pid	process
Token: 33	1752	Windows Loader.exe
Token: SeIncBasePriorityPrivilege	1752	Windows Loader.exe
Token: SeTakeOwnershipPrivilege	1960	takeown.exe
Token: SeTakeOwnershipPrivilege	1704	takeown.exe
Token: SeShutdownPrivilege	1172	shutdown.exe
Token: SeRemoteShutdownPrivilege	1172	shutdown.exe
Token: 33	960	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	960	AUDIODG.EXE
Token: 33	960	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	960	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Windows Loader.exe

pid process

1752 Windows Loader.exe
1752 Windows Loader.exe

pid	process
1752	Windows Loader.exe
1752	Windows Loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c4685f11a53a74df878aaa7076ea7e0a64c4a9489ed83961b323b4694860f3ee.exeWindows Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1732 wrote to memory of 1752	1732	c4685f11a53a74df878aaa7076ea7e0a64c4a9489ed83961b323b4694860f3ee.exe	Windows Loader.exe
PID 1732 wrote to memory of 1752	1732	c4685f11a53a74df878aaa7076ea7e0a64c4a9489ed83961b323b4694860f3ee.exe	Windows Loader.exe
PID 1732 wrote to memory of 1752	1732	c4685f11a53a74df878aaa7076ea7e0a64c4a9489ed83961b323b4694860f3ee.exe	Windows Loader.exe
PID 1732 wrote to memory of 1752	1732	c4685f11a53a74df878aaa7076ea7e0a64c4a9489ed83961b323b4694860f3ee.exe	Windows Loader.exe
PID 1752 wrote to memory of 108	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 108	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 108	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 108	1752	Windows Loader.exe	cmd.exe
PID 108 wrote to memory of 1492	108	cmd.exe	cmd.exe
PID 108 wrote to memory of 1492	108	cmd.exe	cmd.exe
PID 108 wrote to memory of 1492	108	cmd.exe	cmd.exe
PID 108 wrote to memory of 1492	108	cmd.exe	cmd.exe
PID 1492 wrote to memory of 1960	1492	cmd.exe	takeown.exe
PID 1492 wrote to memory of 1960	1492	cmd.exe	takeown.exe
PID 1492 wrote to memory of 1960	1492	cmd.exe	takeown.exe
PID 1492 wrote to memory of 1960	1492	cmd.exe	takeown.exe
PID 1752 wrote to memory of 1716	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1716	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1716	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1716	1752	Windows Loader.exe	cmd.exe
PID 1716 wrote to memory of 976	1716	cmd.exe	icacls.exe
PID 1716 wrote to memory of 976	1716	cmd.exe	icacls.exe
PID 1716 wrote to memory of 976	1716	cmd.exe	icacls.exe
PID 1716 wrote to memory of 976	1716	cmd.exe	icacls.exe
PID 1752 wrote to memory of 1788	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1788	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1788	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1788	1752	Windows Loader.exe	cmd.exe
PID 1788 wrote to memory of 1660	1788	cmd.exe	cmd.exe
PID 1788 wrote to memory of 1660	1788	cmd.exe	cmd.exe
PID 1788 wrote to memory of 1660	1788	cmd.exe	cmd.exe
PID 1788 wrote to memory of 1660	1788	cmd.exe	cmd.exe
PID 1660 wrote to memory of 1704	1660	cmd.exe	takeown.exe
PID 1660 wrote to memory of 1704	1660	cmd.exe	takeown.exe
PID 1660 wrote to memory of 1704	1660	cmd.exe	takeown.exe
PID 1660 wrote to memory of 1704	1660	cmd.exe	takeown.exe
PID 1752 wrote to memory of 1088	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1088	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1088	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1088	1752	Windows Loader.exe	cmd.exe
PID 1088 wrote to memory of 1740	1088	cmd.exe	icacls.exe
PID 1088 wrote to memory of 1740	1088	cmd.exe	icacls.exe
PID 1088 wrote to memory of 1740	1088	cmd.exe	icacls.exe
PID 1088 wrote to memory of 1740	1088	cmd.exe	icacls.exe
PID 1752 wrote to memory of 1628	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1628	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1628	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1628	1752	Windows Loader.exe	cmd.exe
PID 1628 wrote to memory of 516	1628	cmd.exe	cscript.exe
PID 1628 wrote to memory of 516	1628	cmd.exe	cscript.exe
PID 1628 wrote to memory of 516	1628	cmd.exe	cscript.exe
PID 1752 wrote to memory of 1924	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1924	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1924	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1924	1752	Windows Loader.exe	cmd.exe
PID 1924 wrote to memory of 1688	1924	cmd.exe	cscript.exe
PID 1924 wrote to memory of 1688	1924	cmd.exe	cscript.exe
PID 1924 wrote to memory of 1688	1924	cmd.exe	cscript.exe
PID 1752 wrote to memory of 1744	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1744	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1744	1752	Windows Loader.exe	cmd.exe
PID 1752 wrote to memory of 1744	1752	Windows Loader.exe	cmd.exe
PID 1744 wrote to memory of 824	1744	cmd.exe	compact.exe
PID 1744 wrote to memory of 824	1744	cmd.exe	compact.exe

C:\Users\Admin\AppData\Local\Temp\c4685f11a53a74df878aaa7076ea7e0a64c4a9489ed83961b323b4694860f3ee.exe
"C:\Users\Admin\AppData\Local\Temp\c4685f11a53a74df878aaa7076ea7e0a64c4a9489ed83961b323b4694860f3ee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Loader.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Loader.exe" /silent /restart
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
3⤵
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\ldrscan\bootwin
4⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ldrscan\bootwin
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
3⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\icacls.exe
icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
3⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\ldrscan\bootwin
4⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ldrscan\bootwin
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
3⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\icacls.exe
icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1740

C:\Windows\system32\cmd.exe
cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
3⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
4⤵
PID:516

C:\Windows\system32\cmd.exe
cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
3⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
4⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "compact /u \\?\Volume{6abee743-1a82-11ed-8290-806e6f6e6963}\UOXAH"
3⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\compact.exe
compact /u \\?\Volume{6abee743-1a82-11ed-8290-806e6f6e6963}\UOXAH
4⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
3⤵
PID:336

C:\bootsect.exe
C:\bootsect.exe /nt60 SYS /force
4⤵
- Executes dropped EXE
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "shutdown -r -t 0"
3⤵
PID:592

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:960

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Acer.XRM-MS
Filesize
2KB

MD5
f25832af6a684360950dbb15589de34a

SHA1
17ff1d21005c1695ae3dcbdc3435017c895fff5d

SHA256
266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

SHA512
e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Keys.ini
Filesize
14KB

MD5
3bb894d0d458970e1eea0a45e21918cb

SHA1
4dc2c42cf0b123806cfb353154ffb467b0639a24

SHA256
898a61c5527bc13d45ddd6e9da23a14673065ec389438710aecdcfb254df87d8

SHA512
f01ee2c12b8ce5efa3d25ca331517653ac19df6d0285a42354d2c0b3ef26dc08194652077f48e12d9602334a5c75ef5572e4f2bf35132580313f96c2cfdaa1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Loader.exe
Filesize
3.8MB

MD5
3976bd5fcbb7cd13f0c12bb69afc2adc

SHA1
3b6bdca414a53df7c8c5096b953c4df87a1091c7

SHA256
bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40

SHA512
0e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Loader.exe
Filesize
3.8MB

MD5
3976bd5fcbb7cd13f0c12bb69afc2adc

SHA1
3b6bdca414a53df7c8c5096b953c4df87a1091c7

SHA256
bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40

SHA512
0e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341

Download Submit
C:\bootsect.exe
Filesize
95KB

MD5
fae3c41059e4f15f99d0287b7af4dd6c

SHA1
dd5f620a13cd4b580c59a27979fd7f6ca6c832cd

SHA256
ad970a30f97a96c358110271b3fc627eb36574c46489ba1ef959817e59b8ae70

SHA512
2cf9f504c7e6fe784dd11c70e98e2194ab1e7dd5c1b3685f4470c28bdbf95346cc0a442a7554be5f047ad7e1f8c6c96e124f2ad91ad5175ebec6dbf945dba5ce

Download Submit
C:\bootsect.exe
Filesize
95KB

MD5
fae3c41059e4f15f99d0287b7af4dd6c

SHA1
dd5f620a13cd4b580c59a27979fd7f6ca6c832cd

SHA256
ad970a30f97a96c358110271b3fc627eb36574c46489ba1ef959817e59b8ae70

SHA512
2cf9f504c7e6fe784dd11c70e98e2194ab1e7dd5c1b3685f4470c28bdbf95346cc0a442a7554be5f047ad7e1f8c6c96e124f2ad91ad5175ebec6dbf945dba5ce

Download Submit
\??\Volume{6abee743-1a82-11ed-8290-806e6f6e6963}\UOXAH
Filesize
358KB

MD5
b219b9914cb84db5724583dd3c35d124

SHA1
75d7e14af0c9b46e6a86975403eb6ab65e30ac46

SHA256
be477dfda4e7072ab7149d65a7bda7fd5b03fe3937dbb27a973759a92d12eeed

SHA512
6a632ef36ea8706b367d5ff5f37ba129a32613081b1bef8e42e594b404281655dbad1a68eaeed89116441987c4cfe9df6975db7929c5d87bb77f1913efcc6ce1

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Loader.exe
Filesize
3.8MB

MD5
3976bd5fcbb7cd13f0c12bb69afc2adc

SHA1
3b6bdca414a53df7c8c5096b953c4df87a1091c7

SHA256
bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40

SHA512
0e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341

Download Submit
memory/108-127-0x0000000000000000-mapping.dmp

Download
memory/336-148-0x0000000000000000-mapping.dmp

Download
memory/516-140-0x0000000000000000-mapping.dmp

Download
memory/592-153-0x0000000000000000-mapping.dmp

Download
memory/824-145-0x0000000000000000-mapping.dmp

Download
memory/976-133-0x0000000000000000-mapping.dmp

Download
memory/1088-137-0x0000000000000000-mapping.dmp

Download
memory/1172-154-0x0000000000000000-mapping.dmp

Download
memory/1492-128-0x0000000000000000-mapping.dmp

Download
memory/1628-139-0x0000000000000000-mapping.dmp

Download
memory/1660-135-0x0000000000000000-mapping.dmp

Download
memory/1688-143-0x0000000000000000-mapping.dmp

Download
memory/1704-136-0x0000000000000000-mapping.dmp

Download
memory/1716-132-0x0000000000000000-mapping.dmp

Download
memory/1732-122-0x0000000002660000-0x0000000002883000-memory.dmp

Filesize
2.1MB

Download
memory/1732-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1732-130-0x0000000002660000-0x0000000002883000-memory.dmp

Filesize
2.1MB

Download
memory/1740-138-0x0000000000000000-mapping.dmp

Download
memory/1744-144-0x0000000000000000-mapping.dmp

Download
memory/1752-131-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1752-97-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/1752-156-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1752-124-0x0000000002630000-0x00000000027CA000-memory.dmp

Filesize
1.6MB

Download
memory/1752-123-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1752-121-0x0000000073DA1000-0x0000000073DA3000-memory.dmp

Filesize
8KB

Download
memory/1752-56-0x0000000000000000-mapping.dmp

Download
memory/1752-113-0x00000000003A0000-0x00000000003C0000-memory.dmp

Filesize
128KB

Download
memory/1752-105-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/1752-60-0x0000000000280000-0x0000000000293000-memory.dmp

Filesize
76KB

Download
memory/1752-89-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/1752-81-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1752-73-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1752-68-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1788-134-0x0000000000000000-mapping.dmp

Download
memory/1804-150-0x0000000000000000-mapping.dmp

Download
memory/1924-142-0x0000000000000000-mapping.dmp

Download
memory/1960-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads