b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd

General

Target

b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
Size

1.7MB
MD5

597029dcb2738c17be6d79814cdaf229
SHA1

4a99520e5e2070d02883cdba89ecf188b3b39add
SHA256

b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd
SHA512

6d80f6cbaf71e20f8622d0d3bdf4a263da9cddad8d53c4230ff0df302feba29a297f66fa9fb04c4660e5227074c3f6c8f97b2f770054c749f9f002691b6094d0
SSDEEP

24576:eRmJkcoQricOIQxiZY1iaH0xxxxxxxxxxxxxxvMi6Ro1s8JyfsOqa6tBkazn572J:LJZoQrbTFZY1ia8MiNFyfsOlc95Iku

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1712-139-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/1712-141-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/1712-142-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/1712-145-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4072-148-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4072-150-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4072-149-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4072-152-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4072-154-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4072-155-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4072-156-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/1712-161-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

Drops startup file 2 IoCs

Processes:

b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exeb1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

description	pid	process	target process
PID 4972 set thread context of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 set thread context of 1712	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4848 set thread context of 4072	4848	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exeb1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

pid	process
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exeb1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

pid	process
3036	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
3036	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
3036	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
3036	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
3036	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exeb1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

pid	process
3036	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
3036	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
3036	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
3036	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
3036	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exeb1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exeb1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

pid	process
1712	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4848	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4072	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exeb1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exeb1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

C:\Users\Admin\AppData\Local\Temp\b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
"C:\Users\Admin\AppData\Local\Temp\b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
"C:\Users\Admin\AppData\Local\Temp\b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe" /AutoIt3ExecuteScript C:\Users\Admin\AppData\Local\Temp\eWEpCwslF
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
"C:\Users\Admin\AppData\Local\Temp\b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
C:\Users\Admin\AppData\Local\Temp\b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
4⤵
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4072

C:\Users\Admin\AppData\Local\Temp\b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
"C:\Users\Admin\AppData\Local\Temp\b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eWEpCwslF
Filesize
812KB

MD5
dad5d2d610e1c0264e664f73a10197c6

SHA1
28ae30e028bd6edf793ba094e937041dd6ac1801

SHA256
061fdd248897c3b4ea237ebfbe01f2907d7e2ed69254766ebddd36186b88d4dd

SHA512
17a21f5335c03265074106982ce371885f73c0bc932f175e1bedd891d02e1227aa4bb3ba03990c03ed9012c6239ba58d3023a4f21a04a7fa9005535b324dbd92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.dat
Filesize
2B

MD5
93e00066d099c0485cfffa1359246d26

SHA1
bc69a773f37b2f2071e25f755a66d47b871e5d98

SHA256
3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde

SHA512
d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.nfo
Filesize
3KB

MD5
5fae023d0f4d9d94bcdbf6b5581a71ca

SHA1
b6569e50b87b53c912430e8fe1dc1eda4192053e

SHA256
1ff222637a9ef5c034bba5747b119bba0b7635aaf308832d2410d83b89f07ea2

SHA512
97718df3e5f51d20966e4682bcd3ec29b43deafa912b46977197d51e55a1a34431f601462d658e58f5b6057e6708315b38f3a7432494ba8b0dbac31471b90b1c

Download Submit
memory/1712-142-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1712-161-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1712-138-0x0000000000000000-mapping.dmp

Download
memory/1712-139-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1712-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1712-141-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4072-147-0x0000000000000000-mapping.dmp

Download
memory/4072-156-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4072-162-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download
memory/4072-160-0x0000000001611000-0x00000000016C4000-memory.dmp

Filesize
716KB

Download
memory/4072-148-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4072-150-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4072-149-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4072-152-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4072-154-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4072-159-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download
memory/4072-155-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4848-153-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4848-137-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4848-136-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4848-135-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4848-134-0x0000000000000000-mapping.dmp

Download
memory/4848-146-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4972-132-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3036 wrote to memory of 4972	3036	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 3036 wrote to memory of 4972	3036	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 3036 wrote to memory of 4972	3036	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 4848	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 1712	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 1712	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 1712	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 1712	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 1712	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 1712	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 1712	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4972 wrote to memory of 1712	4972	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4848 wrote to memory of 4072	4848	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4848 wrote to memory of 4072	4848	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4848 wrote to memory of 4072	4848	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4848 wrote to memory of 4072	4848	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4848 wrote to memory of 4072	4848	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4848 wrote to memory of 4072	4848	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4848 wrote to memory of 4072	4848	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe
PID 4848 wrote to memory of 4072	4848	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe	b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads