49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8

General

Target

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
Size

124KB
MD5

70d24101bbf1b1c0586eda8cb43b0b86
SHA1

05b7f3c58ddee28044006efb66020597a7d52c36
SHA256

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8
SHA512

b2d4f60dd2999d8fa739a89ed08ed2fc9f3946647667d72960c0b0c9a5ca91aa803641d7961372726e6faaeb853ff9b95df1f473afe771ff8a38748364d2e569
SSDEEP

3072:ZlLfBpLN3a1P4eSZWWGNBrGnrKB+3s/s1Ic44g1j0JPuG:TBX24eSjGncrXCSIc

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

Executes dropped EXE 2 IoCs

Processes:

CrrupatfSjetol.exeCrrupatfSjetol.exe

pid process

4560 CrrupatfSjetol.exe
4284 CrrupatfSjetol.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

4268 netsh.exe
4160 netsh.exe

pid	process
4560	CrrupatfSjetol.exe
4284	CrrupatfSjetol.exe

pid	process
4268	netsh.exe
4160	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exeCrrupatfSjetol.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	CrrupatfSjetol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrrupatfSjetol = "C:\\ProgramData\\3cfdec86b2da3c13a849930b80390b04\\CrrupatfSjetol.exe"	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 bot.whatismyipaddress.com

flow	ioc
17	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exeCrrupatfSjetol.exe

description	pid	process	target process
PID 1400 set thread context of 3884	1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 4560 set thread context of 4284	4560	CrrupatfSjetol.exe	CrrupatfSjetol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

CrrupatfSjetol.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings CrrupatfSjetol.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	CrrupatfSjetol.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exeCrrupatfSjetol.exe

pid	process
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
3884	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe
4560	CrrupatfSjetol.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exeCrrupatfSjetol.exeCrrupatfSjetol.exe

description	pid	process
Token: SeDebugPrivilege	1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
Token: SeDebugPrivilege	3884	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
Token: SeDebugPrivilege	3884	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
Token: SeDebugPrivilege	3884	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
Token: SeDebugPrivilege	4560	CrrupatfSjetol.exe
Token: SeDebugPrivilege	4284	CrrupatfSjetol.exe
Token: SeDebugPrivilege	4284	CrrupatfSjetol.exe
Token: SeDebugPrivilege	4284	CrrupatfSjetol.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exeCrrupatfSjetol.exeCrrupatfSjetol.exe

description	pid	process	target process
PID 1400 wrote to memory of 3884	1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1400 wrote to memory of 3884	1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1400 wrote to memory of 3884	1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1400 wrote to memory of 3884	1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1400 wrote to memory of 3884	1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1400 wrote to memory of 3884	1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1400 wrote to memory of 3884	1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 1400 wrote to memory of 3884	1400	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
PID 3884 wrote to memory of 4268	3884	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	netsh.exe
PID 3884 wrote to memory of 4268	3884	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	netsh.exe
PID 3884 wrote to memory of 4268	3884	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	netsh.exe
PID 3884 wrote to memory of 4560	3884	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	CrrupatfSjetol.exe
PID 3884 wrote to memory of 4560	3884	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	CrrupatfSjetol.exe
PID 3884 wrote to memory of 4560	3884	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe	CrrupatfSjetol.exe
PID 4560 wrote to memory of 4284	4560	CrrupatfSjetol.exe	CrrupatfSjetol.exe
PID 4560 wrote to memory of 4284	4560	CrrupatfSjetol.exe	CrrupatfSjetol.exe
PID 4560 wrote to memory of 4284	4560	CrrupatfSjetol.exe	CrrupatfSjetol.exe
PID 4560 wrote to memory of 4284	4560	CrrupatfSjetol.exe	CrrupatfSjetol.exe
PID 4560 wrote to memory of 4284	4560	CrrupatfSjetol.exe	CrrupatfSjetol.exe
PID 4560 wrote to memory of 4284	4560	CrrupatfSjetol.exe	CrrupatfSjetol.exe
PID 4560 wrote to memory of 4284	4560	CrrupatfSjetol.exe	CrrupatfSjetol.exe
PID 4560 wrote to memory of 4284	4560	CrrupatfSjetol.exe	CrrupatfSjetol.exe
PID 4284 wrote to memory of 4160	4284	CrrupatfSjetol.exe	netsh.exe
PID 4284 wrote to memory of 4160	4284	CrrupatfSjetol.exe	netsh.exe
PID 4284 wrote to memory of 4160	4284	CrrupatfSjetol.exe	netsh.exe
PID 4284 wrote to memory of 1340	4284	CrrupatfSjetol.exe	WScript.exe
PID 4284 wrote to memory of 1340	4284	CrrupatfSjetol.exe	WScript.exe
PID 4284 wrote to memory of 1340	4284	CrrupatfSjetol.exe	WScript.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe

C:\Users\Admin\AppData\Local\Temp\49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
"C:\Users\Admin\AppData\Local\Temp\49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe
"C:\Users\Admin\AppData\Local\Temp\49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8.exe"
2⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3884

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:4268

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\CrrupatfSjetol.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\CrrupatfSjetol.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\CrrupatfSjetol.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\CrrupatfSjetol.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
5⤵
- Modifies Windows Firewall
PID:4160

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\EqUxaAe.vbs"
5⤵
PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\.{1e69ee4b-0de4-3437-8433-efecf940be05}\1e69ee4b0de434378433efecf940be05

Filesize
43B

MD5
0bd8e76be43df15e7b2d18debffef8ae

SHA1
6e768abe1ee221192975f117e2c1b87a6de73d61

SHA256
892bd6b1407445706cf182760e92e44bef414a7efb0a94d06cc97fea13c2a836

SHA512
92aaec89a341cc49d504e29f587fbbb75e30a6a3b8017acc8cb53c6b76d5140525e31e19846641c53b5ce511eb67d2fbee294a78ba5819dd058646493a31ff35

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\CrrupatfSjetol.exe

Filesize
124KB

MD5
70d24101bbf1b1c0586eda8cb43b0b86

SHA1
05b7f3c58ddee28044006efb66020597a7d52c36

SHA256
49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8

SHA512
b2d4f60dd2999d8fa739a89ed08ed2fc9f3946647667d72960c0b0c9a5ca91aa803641d7961372726e6faaeb853ff9b95df1f473afe771ff8a38748364d2e569

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\CrrupatfSjetol.exe

Filesize
124KB

MD5
70d24101bbf1b1c0586eda8cb43b0b86

SHA1
05b7f3c58ddee28044006efb66020597a7d52c36

SHA256
49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8

SHA512
b2d4f60dd2999d8fa739a89ed08ed2fc9f3946647667d72960c0b0c9a5ca91aa803641d7961372726e6faaeb853ff9b95df1f473afe771ff8a38748364d2e569

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\CrrupatfSjetol.exe

Filesize
124KB

MD5
70d24101bbf1b1c0586eda8cb43b0b86

SHA1
05b7f3c58ddee28044006efb66020597a7d52c36

SHA256
49b2cbb64440101fa6b838082a1ce986fe4bd1869069aef5f83167fad5f456c8

SHA512
b2d4f60dd2999d8fa739a89ed08ed2fc9f3946647667d72960c0b0c9a5ca91aa803641d7961372726e6faaeb853ff9b95df1f473afe771ff8a38748364d2e569

Download Submit
C:\ProgramData\EqUxaAe.vbs

Filesize
689B

MD5
db56613925842313574ddf5804481154

SHA1
a03f00a05568382094eff1237abd6a73b3e34296

SHA256
83aca24ead88621658155cf6b429a793aa846d4db7ff7f19240e258c78cf8e60

SHA512
0c8ab162c550000b339f7fbe1044f67ba7b9dbc3375489314f534c47a1b37b2c6b4f6b0c9c32571bbc88aa47ec81a68efd9f300a31ccb26f9cec8d5a6a079573

Download Submit
memory/1340-149-0x0000000000000000-mapping.dmp

Download
memory/1400-141-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/1400-132-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3884-140-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3884-135-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3884-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3884-133-0x0000000000000000-mapping.dmp

Download
memory/4160-147-0x0000000000000000-mapping.dmp

Download
memory/4268-136-0x0000000000000000-mapping.dmp

Download
memory/4284-148-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4284-143-0x0000000000000000-mapping.dmp

Download
memory/4284-152-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4560-142-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4560-137-0x0000000000000000-mapping.dmp

Download
memory/4560-151-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads