49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8

General

Target

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
Size

124KB
MD5

70d24101bbf1b1c0586eda8cb43b0b86
SHA1

05b7f3c58ddee28044006efb66020597a7d52c36
SHA256

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8
SHA512

b2d4f60dd2999d8fa739a89ed08ed2fc9f3946647667d72960c0b0c9a5ca91aa803641d7961372726e6faaeb853ff9b95df1f473afe771ff8a38748364d2e569
SSDEEP

3072:ZlLfBpLN3a1P4eSZWWGNBrGnrKB+3s/s1Ic44g1j0JPuG:TBX24eSjGncrXCSIc

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

Executes dropped EXE 2 IoCs

Processes:

vhWow3esMlp.exevhWow3esMlp.exe

pid process

1680 vhWow3esMlp.exe
1924 vhWow3esMlp.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1960 netsh.exe
1980 netsh.exe

pid	process
1680	vhWow3esMlp.exe
1924	vhWow3esMlp.exe

pid	process
1960	netsh.exe
1980	netsh.exe

Loads dropped DLL 2 IoCs

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

pid	process
564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhWow3esMlp = "C:\\ProgramData\\3cfdec86b2da3c13a849930b80390b04\\vhWow3esMlp.exe"	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 bot.whatismyipaddress.com

flow	ioc
5	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exevhWow3esMlp.exe

description	pid	process	target process
PID 1472 set thread context of 564	1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1680 set thread context of 1924	1680	vhWow3esMlp.exe	vhWow3esMlp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exevhWow3esMlp.exevhWow3esMlp.exe

pid	process
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1680	vhWow3esMlp.exe
1924	vhWow3esMlp.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exevhWow3esMlp.exevhWow3esMlp.exe

description	pid	process
Token: SeDebugPrivilege	1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
Token: SeDebugPrivilege	564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
Token: SeDebugPrivilege	564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
Token: SeDebugPrivilege	564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
Token: SeDebugPrivilege	1680	vhWow3esMlp.exe
Token: SeDebugPrivilege	1924	vhWow3esMlp.exe
Token: SeDebugPrivilege	1924	vhWow3esMlp.exe
Token: SeDebugPrivilege	1924	vhWow3esMlp.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exevhWow3esMlp.exevhWow3esMlp.exe

description	pid	process	target process
PID 1472 wrote to memory of 564	1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1472 wrote to memory of 564	1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1472 wrote to memory of 564	1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1472 wrote to memory of 564	1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1472 wrote to memory of 564	1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1472 wrote to memory of 564	1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1472 wrote to memory of 564	1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1472 wrote to memory of 564	1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1472 wrote to memory of 564	1472	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 564 wrote to memory of 1960	564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	netsh.exe
PID 564 wrote to memory of 1960	564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	netsh.exe
PID 564 wrote to memory of 1960	564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	netsh.exe
PID 564 wrote to memory of 1960	564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	netsh.exe
PID 564 wrote to memory of 1680	564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	vhWow3esMlp.exe
PID 564 wrote to memory of 1680	564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	vhWow3esMlp.exe
PID 564 wrote to memory of 1680	564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	vhWow3esMlp.exe
PID 564 wrote to memory of 1680	564	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	vhWow3esMlp.exe
PID 1680 wrote to memory of 1924	1680	vhWow3esMlp.exe	vhWow3esMlp.exe
PID 1680 wrote to memory of 1924	1680	vhWow3esMlp.exe	vhWow3esMlp.exe
PID 1680 wrote to memory of 1924	1680	vhWow3esMlp.exe	vhWow3esMlp.exe
PID 1680 wrote to memory of 1924	1680	vhWow3esMlp.exe	vhWow3esMlp.exe
PID 1680 wrote to memory of 1924	1680	vhWow3esMlp.exe	vhWow3esMlp.exe
PID 1680 wrote to memory of 1924	1680	vhWow3esMlp.exe	vhWow3esMlp.exe
PID 1680 wrote to memory of 1924	1680	vhWow3esMlp.exe	vhWow3esMlp.exe
PID 1680 wrote to memory of 1924	1680	vhWow3esMlp.exe	vhWow3esMlp.exe
PID 1680 wrote to memory of 1924	1680	vhWow3esMlp.exe	vhWow3esMlp.exe
PID 1924 wrote to memory of 1980	1924	vhWow3esMlp.exe	netsh.exe
PID 1924 wrote to memory of 1980	1924	vhWow3esMlp.exe	netsh.exe
PID 1924 wrote to memory of 1980	1924	vhWow3esMlp.exe	netsh.exe
PID 1924 wrote to memory of 1980	1924	vhWow3esMlp.exe	netsh.exe
PID 1924 wrote to memory of 1204	1924	vhWow3esMlp.exe	WScript.exe
PID 1924 wrote to memory of 1204	1924	vhWow3esMlp.exe	WScript.exe
PID 1924 wrote to memory of 1204	1924	vhWow3esMlp.exe	WScript.exe
PID 1924 wrote to memory of 1204	1924	vhWow3esMlp.exe	WScript.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

C:\Users\Admin\AppData\Local\Temp\49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
"C:\Users\Admin\AppData\Local\Temp\49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
"C:\Users\Admin\AppData\Local\Temp\49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe"
2⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:564

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:1960

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\vhWow3esMlp.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\vhWow3esMlp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\vhWow3esMlp.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\vhWow3esMlp.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
5⤵
- Modifies Windows Firewall
PID:1980

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\HKkZCEJ.vbs"
5⤵
PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\.{1e69ee4b-0de4-3437-8433-efecf940be05}\1e69ee4b0de434378433efecf940be05

Filesize
43B

MD5
97e19e40270e32a2e501643978819ebc

SHA1
ed5a66ac38c71fb5e89e48979cb29b90e5f36ae7

SHA256
0ded5c9fbaacb2df0ffdad9788d5262f5af11afed7602b442b3461004e804069

SHA512
f01373e37d75097a8ad426474c597134be53b3af2fbb079ea8a86e394518421f386878be068b5aeb6b958b1da003ee99713f9e792c0a982ebc30d57c00cf8f7e

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\vhWow3esMlp.exe

Filesize
124KB

MD5
70d24101bbf1b1c0586eda8cb43b0b86

SHA1
05b7f3c58ddee28044006efb66020597a7d52c36

SHA256
49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8

SHA512
b2d4f60dd2999d8fa739a89ed08ed2fc9f3946647667d72960c0b0c9a5ca91aa803641d7961372726e6faaeb853ff9b95df1f473afe771ff8a38748364d2e569

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\vhWow3esMlp.exe

Filesize
124KB

MD5
70d24101bbf1b1c0586eda8cb43b0b86

SHA1
05b7f3c58ddee28044006efb66020597a7d52c36

SHA256
49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8

SHA512
b2d4f60dd2999d8fa739a89ed08ed2fc9f3946647667d72960c0b0c9a5ca91aa803641d7961372726e6faaeb853ff9b95df1f473afe771ff8a38748364d2e569

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\vhWow3esMlp.exe

Filesize
124KB

MD5
70d24101bbf1b1c0586eda8cb43b0b86

SHA1
05b7f3c58ddee28044006efb66020597a7d52c36

SHA256
49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8

SHA512
b2d4f60dd2999d8fa739a89ed08ed2fc9f3946647667d72960c0b0c9a5ca91aa803641d7961372726e6faaeb853ff9b95df1f473afe771ff8a38748364d2e569

Download Submit
C:\ProgramData\HKkZCEJ.vbs

Filesize
686B

MD5
01b1fbceb35d2117adc379d0dba31515

SHA1
423add7191137bd543c912cce604896dafc4b30d

SHA256
ffaab5fa0524f0edd49cf7bd10c4dc7d1587392ee95b3137a890fb0aba0f90b6

SHA512
7c9f91601e341cf9c21783f249739ab4f20365a89bfa226f7ce2f8ec517763589951e10c9c2d65c883371a885ae62b85604cf66acf86ab1f06ea73cf5cd2b2d4

Download Submit
\ProgramData\3cfdec86b2da3c13a849930b80390b04\vhWow3esMlp.exe

Filesize
124KB

MD5
70d24101bbf1b1c0586eda8cb43b0b86

SHA1
05b7f3c58ddee28044006efb66020597a7d52c36

SHA256
49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8

SHA512
b2d4f60dd2999d8fa739a89ed08ed2fc9f3946647667d72960c0b0c9a5ca91aa803641d7961372726e6faaeb853ff9b95df1f473afe771ff8a38748364d2e569

Download Submit
\ProgramData\3cfdec86b2da3c13a849930b80390b04\vhWow3esMlp.exe

Filesize
124KB

MD5
70d24101bbf1b1c0586eda8cb43b0b86

SHA1
05b7f3c58ddee28044006efb66020597a7d52c36

SHA256
49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8

SHA512
b2d4f60dd2999d8fa739a89ed08ed2fc9f3946647667d72960c0b0c9a5ca91aa803641d7961372726e6faaeb853ff9b95df1f473afe771ff8a38748364d2e569

Download Submit
memory/564-62-0x000000000041750A-mapping.dmp

Download
memory/564-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/564-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/564-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/564-70-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/564-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/564-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/564-77-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/564-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/564-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1204-96-0x0000000000000000-mapping.dmp

Download
memory/1472-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1472-55-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-99-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-73-0x0000000000000000-mapping.dmp

Download
memory/1680-93-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-100-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-94-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-84-0x000000000041750A-mapping.dmp

Download
memory/1924-101-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-68-0x0000000000000000-mapping.dmp

Download
memory/1980-92-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads