41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f

General

Target

41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe
Size

296KB
MD5

3d7a5b83b6c8fdd5df34cbb0d23483de
SHA1

e774dc8e30008338844f096c6ade70e2c092052d
SHA256

41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f
SHA512

804a888abd4982913cc1c1e1585040fb6be47c1ca37b5be9eb6c52d6c419c038dfaf18f670e1fa942f2f316fac49e4e613beb39a4a54d21d6df7371bb5947182
SSDEEP

6144:Nnh4rMUW2f5mn4cwBPQD4od7FwDvKbrAGeGYiRqVVc67HJz:zf1o2faKbrAGeuRqVCqF

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\URFNZWN8PN.exe = "C:\\Users\\Admin\\AppData\\Roaming\\URFNZWN8PN.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 2 IoCs

Processes:

tmp7B4F.tmp.exetmp7B4F.tmp.exe

pid process

532 tmp7B4F.tmp.exe
4180 tmp7B4F.tmp.exe

pid	process
532	tmp7B4F.tmp.exe
4180	tmp7B4F.tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exetmp7B4F.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp7B4F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exetmp7B4F.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1078409990.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp7B4F.tmp.exe"	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\109097301.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp7B4F.tmp.exe\""	tmp7B4F.tmp.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe
File created	C:\Windows\assembly\Desktop.ini	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe

description pid process target process

PID 2492 set thread context of 788 2492 41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe vbc.exe

description	pid	process	target process
PID 2492 set thread context of 788	2492	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe	vbc.exe

Drops file in Windows directory 3 IoCs

Processes:

41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe
File created	C:\Windows\assembly\Desktop.ini	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

3744 reg.exe
5048 reg.exe
1508 reg.exe
1504 reg.exe

pid	process
3744	reg.exe
5048	reg.exe
1508	reg.exe
1504	reg.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exetmp7B4F.tmp.exevbc.exetmp7B4F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2492	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe
Token: SeDebugPrivilege	532	tmp7B4F.tmp.exe
Token: 1	788	vbc.exe
Token: SeCreateTokenPrivilege	788	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	788	vbc.exe
Token: SeLockMemoryPrivilege	788	vbc.exe
Token: SeIncreaseQuotaPrivilege	788	vbc.exe
Token: SeMachineAccountPrivilege	788	vbc.exe
Token: SeTcbPrivilege	788	vbc.exe
Token: SeSecurityPrivilege	788	vbc.exe
Token: SeTakeOwnershipPrivilege	788	vbc.exe
Token: SeLoadDriverPrivilege	788	vbc.exe
Token: SeSystemProfilePrivilege	788	vbc.exe
Token: SeSystemtimePrivilege	788	vbc.exe
Token: SeProfSingleProcessPrivilege	788	vbc.exe
Token: SeIncBasePriorityPrivilege	788	vbc.exe
Token: SeCreatePagefilePrivilege	788	vbc.exe
Token: SeCreatePermanentPrivilege	788	vbc.exe
Token: SeBackupPrivilege	788	vbc.exe
Token: SeRestorePrivilege	788	vbc.exe
Token: SeShutdownPrivilege	788	vbc.exe
Token: SeDebugPrivilege	788	vbc.exe
Token: SeAuditPrivilege	788	vbc.exe
Token: SeSystemEnvironmentPrivilege	788	vbc.exe
Token: SeChangeNotifyPrivilege	788	vbc.exe
Token: SeRemoteShutdownPrivilege	788	vbc.exe
Token: SeUndockPrivilege	788	vbc.exe
Token: SeSyncAgentPrivilege	788	vbc.exe
Token: SeEnableDelegationPrivilege	788	vbc.exe
Token: SeManageVolumePrivilege	788	vbc.exe
Token: SeImpersonatePrivilege	788	vbc.exe
Token: SeCreateGlobalPrivilege	788	vbc.exe
Token: 31	788	vbc.exe
Token: 32	788	vbc.exe
Token: 33	788	vbc.exe
Token: 34	788	vbc.exe
Token: 35	788	vbc.exe
Token: SeDebugPrivilege	4180	tmp7B4F.tmp.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

vbc.exe

pid process

788 vbc.exe
788 vbc.exe
788 vbc.exe
788 vbc.exe
788 vbc.exe
788 vbc.exe
788 vbc.exe
788 vbc.exe

pid	process
788	vbc.exe
788	vbc.exe
788	vbc.exe
788	vbc.exe
788	vbc.exe
788	vbc.exe
788	vbc.exe
788	vbc.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exetmp7B4F.tmp.exevbc.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2492 wrote to memory of 532	2492	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe	tmp7B4F.tmp.exe
PID 2492 wrote to memory of 532	2492	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe	tmp7B4F.tmp.exe
PID 2492 wrote to memory of 532	2492	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe	tmp7B4F.tmp.exe
PID 532 wrote to memory of 4180	532	tmp7B4F.tmp.exe	tmp7B4F.tmp.exe
PID 532 wrote to memory of 4180	532	tmp7B4F.tmp.exe	tmp7B4F.tmp.exe
PID 532 wrote to memory of 4180	532	tmp7B4F.tmp.exe	tmp7B4F.tmp.exe
PID 2492 wrote to memory of 788	2492	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe	vbc.exe
PID 2492 wrote to memory of 788	2492	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe	vbc.exe
PID 2492 wrote to memory of 788	2492	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe	vbc.exe
PID 2492 wrote to memory of 788	2492	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe	vbc.exe
PID 2492 wrote to memory of 788	2492	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe	vbc.exe
PID 2492 wrote to memory of 788	2492	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe	vbc.exe
PID 2492 wrote to memory of 788	2492	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe	vbc.exe
PID 2492 wrote to memory of 788	2492	41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe	vbc.exe
PID 788 wrote to memory of 5016	788	vbc.exe	cmd.exe
PID 788 wrote to memory of 5016	788	vbc.exe	cmd.exe
PID 788 wrote to memory of 5016	788	vbc.exe	cmd.exe
PID 788 wrote to memory of 4820	788	vbc.exe	cmd.exe
PID 788 wrote to memory of 4820	788	vbc.exe	cmd.exe
PID 788 wrote to memory of 4820	788	vbc.exe	cmd.exe
PID 788 wrote to memory of 4744	788	vbc.exe	cmd.exe
PID 788 wrote to memory of 4744	788	vbc.exe	cmd.exe
PID 788 wrote to memory of 4744	788	vbc.exe	cmd.exe
PID 788 wrote to memory of 5032	788	vbc.exe	cmd.exe
PID 788 wrote to memory of 5032	788	vbc.exe	cmd.exe
PID 788 wrote to memory of 5032	788	vbc.exe	cmd.exe
PID 4744 wrote to memory of 1504	4744	cmd.exe	reg.exe
PID 4744 wrote to memory of 1504	4744	cmd.exe	reg.exe
PID 4744 wrote to memory of 1504	4744	cmd.exe	reg.exe
PID 5032 wrote to memory of 1508	5032	cmd.exe	reg.exe
PID 5032 wrote to memory of 1508	5032	cmd.exe	reg.exe
PID 5032 wrote to memory of 1508	5032	cmd.exe	reg.exe
PID 5016 wrote to memory of 3744	5016	cmd.exe	reg.exe
PID 5016 wrote to memory of 3744	5016	cmd.exe	reg.exe
PID 5016 wrote to memory of 3744	5016	cmd.exe	reg.exe
PID 4820 wrote to memory of 5048	4820	cmd.exe	reg.exe
PID 4820 wrote to memory of 5048	4820	cmd.exe	reg.exe
PID 4820 wrote to memory of 5048	4820	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe
"C:\Users\Admin\AppData\Local\Temp\41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp.exe" /pq
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp.exe" /px
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:3744

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\URFNZWN8PN.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\URFNZWN8PN.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\URFNZWN8PN.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\URFNZWN8PN.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1508

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\tmp7B4F.tmp.exe.log

Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp.exe

Filesize
296KB

MD5
3d7a5b83b6c8fdd5df34cbb0d23483de

SHA1
e774dc8e30008338844f096c6ade70e2c092052d

SHA256
41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f

SHA512
804a888abd4982913cc1c1e1585040fb6be47c1ca37b5be9eb6c52d6c419c038dfaf18f670e1fa942f2f316fac49e4e613beb39a4a54d21d6df7371bb5947182

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp.exe

Filesize
296KB

MD5
3d7a5b83b6c8fdd5df34cbb0d23483de

SHA1
e774dc8e30008338844f096c6ade70e2c092052d

SHA256
41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f

SHA512
804a888abd4982913cc1c1e1585040fb6be47c1ca37b5be9eb6c52d6c419c038dfaf18f670e1fa942f2f316fac49e4e613beb39a4a54d21d6df7371bb5947182

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp.exe

Filesize
296KB

MD5
3d7a5b83b6c8fdd5df34cbb0d23483de

SHA1
e774dc8e30008338844f096c6ade70e2c092052d

SHA256
41707206bb6ac790542519a9cad6a438c71e5b1e3eeef5f95f99f7cd19126d9f

SHA512
804a888abd4982913cc1c1e1585040fb6be47c1ca37b5be9eb6c52d6c419c038dfaf18f670e1fa942f2f316fac49e4e613beb39a4a54d21d6df7371bb5947182

Download Submit
memory/532-133-0x0000000000000000-mapping.dmp

Download
memory/532-136-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/532-140-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/788-146-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/788-141-0x0000000000000000-mapping.dmp

Download
memory/788-142-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/788-144-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1504-156-0x0000000000000000-mapping.dmp

Download
memory/1508-157-0x0000000000000000-mapping.dmp

Download
memory/2492-132-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/2492-160-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/3744-158-0x0000000000000000-mapping.dmp

Download
memory/4180-155-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4180-137-0x0000000000000000-mapping.dmp

Download
memory/4180-149-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-153-0x0000000000000000-mapping.dmp

Download
memory/4820-152-0x0000000000000000-mapping.dmp

Download
memory/5016-151-0x0000000000000000-mapping.dmp

Download
memory/5032-154-0x0000000000000000-mapping.dmp

Download
memory/5048-159-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads