f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc

General

Target

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
Size

254KB
MD5

134e5e2107b7a64b9d098bedfe64eb40
SHA1

5301b808503aa80dc5cdffe778f648110d6a18ad
SHA256

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc
SHA512

b0be44dc201dc2a10204538109b5feac05cd0af35d53fee3fb91504c9efa4c206489f7004a357a9808e84e0d046547a9bbe5c10889eb7bc5ca6834ed184730c7
SSDEEP

3072:BddKhdgcyetZPShTIzdD32PoNnvPyCXjH4H471I3N0KgCEV5RUsBIJ4CcauqyFJQ:BdCtBKMdiwNnvPyFL3THeQ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ywots.exeywots.exe

pid process

1628 ywots.exe
1108 ywots.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1676 cmd.exe

pid	process
1628	ywots.exe
1108	ywots.exe

pid	process
1676	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe

pid	process
1312	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
1312	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ywots.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	ywots.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	ywots.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ewwaaluri = "C:\\Users\\Admin\\AppData\\Roaming\\Zeapwu\\ywots.exe"	ywots.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exeywots.exe

description	pid	process	target process
PID 1324 set thread context of 1312	1324	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1628 set thread context of 1108	1628	ywots.exe	ywots.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exeywots.exeywots.exe

pid	process
1324	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
1324	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
1628	ywots.exe
1628	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe
1108	ywots.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe

description	pid	process
Token: SeSecurityPrivilege	1312	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
Token: SeSecurityPrivilege	1312	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exef2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exeywots.exeywots.exe

description	pid	process	target process
PID 1324 wrote to memory of 1312	1324	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1324 wrote to memory of 1312	1324	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1324 wrote to memory of 1312	1324	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1324 wrote to memory of 1312	1324	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1324 wrote to memory of 1312	1324	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1324 wrote to memory of 1312	1324	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1324 wrote to memory of 1312	1324	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1324 wrote to memory of 1312	1324	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1324 wrote to memory of 1312	1324	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1312 wrote to memory of 1628	1312	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	ywots.exe
PID 1312 wrote to memory of 1628	1312	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	ywots.exe
PID 1312 wrote to memory of 1628	1312	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	ywots.exe
PID 1312 wrote to memory of 1628	1312	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	ywots.exe
PID 1628 wrote to memory of 1108	1628	ywots.exe	ywots.exe
PID 1628 wrote to memory of 1108	1628	ywots.exe	ywots.exe
PID 1628 wrote to memory of 1108	1628	ywots.exe	ywots.exe
PID 1628 wrote to memory of 1108	1628	ywots.exe	ywots.exe
PID 1628 wrote to memory of 1108	1628	ywots.exe	ywots.exe
PID 1628 wrote to memory of 1108	1628	ywots.exe	ywots.exe
PID 1628 wrote to memory of 1108	1628	ywots.exe	ywots.exe
PID 1628 wrote to memory of 1108	1628	ywots.exe	ywots.exe
PID 1628 wrote to memory of 1108	1628	ywots.exe	ywots.exe
PID 1108 wrote to memory of 1128	1108	ywots.exe	taskhost.exe
PID 1108 wrote to memory of 1128	1108	ywots.exe	taskhost.exe
PID 1108 wrote to memory of 1128	1108	ywots.exe	taskhost.exe
PID 1108 wrote to memory of 1128	1108	ywots.exe	taskhost.exe
PID 1108 wrote to memory of 1128	1108	ywots.exe	taskhost.exe
PID 1108 wrote to memory of 1240	1108	ywots.exe	Dwm.exe
PID 1108 wrote to memory of 1240	1108	ywots.exe	Dwm.exe
PID 1108 wrote to memory of 1240	1108	ywots.exe	Dwm.exe
PID 1108 wrote to memory of 1240	1108	ywots.exe	Dwm.exe
PID 1108 wrote to memory of 1240	1108	ywots.exe	Dwm.exe
PID 1108 wrote to memory of 1276	1108	ywots.exe	Explorer.EXE
PID 1108 wrote to memory of 1276	1108	ywots.exe	Explorer.EXE
PID 1108 wrote to memory of 1276	1108	ywots.exe	Explorer.EXE
PID 1108 wrote to memory of 1276	1108	ywots.exe	Explorer.EXE
PID 1108 wrote to memory of 1276	1108	ywots.exe	Explorer.EXE
PID 1108 wrote to memory of 1312	1108	ywots.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1108 wrote to memory of 1312	1108	ywots.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1108 wrote to memory of 1312	1108	ywots.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1108 wrote to memory of 1312	1108	ywots.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1108 wrote to memory of 1312	1108	ywots.exe	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
PID 1312 wrote to memory of 1676	1312	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	cmd.exe
PID 1312 wrote to memory of 1676	1312	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	cmd.exe
PID 1312 wrote to memory of 1676	1312	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	cmd.exe
PID 1312 wrote to memory of 1676	1312	f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe	cmd.exe
PID 1108 wrote to memory of 1676	1108	ywots.exe	cmd.exe
PID 1108 wrote to memory of 1676	1108	ywots.exe	cmd.exe
PID 1108 wrote to memory of 1676	1108	ywots.exe	cmd.exe
PID 1108 wrote to memory of 1676	1108	ywots.exe	cmd.exe
PID 1108 wrote to memory of 1676	1108	ywots.exe	cmd.exe
PID 1108 wrote to memory of 1452	1108	ywots.exe	DllHost.exe
PID 1108 wrote to memory of 1452	1108	ywots.exe	DllHost.exe
PID 1108 wrote to memory of 1452	1108	ywots.exe	DllHost.exe
PID 1108 wrote to memory of 1452	1108	ywots.exe	DllHost.exe
PID 1108 wrote to memory of 1452	1108	ywots.exe	DllHost.exe
PID 1108 wrote to memory of 1612	1108	ywots.exe	DllHost.exe
PID 1108 wrote to memory of 1612	1108	ywots.exe	DllHost.exe
PID 1108 wrote to memory of 1612	1108	ywots.exe	DllHost.exe
PID 1108 wrote to memory of 1612	1108	ywots.exe	DllHost.exe
PID 1108 wrote to memory of 1612	1108	ywots.exe	DllHost.exe
PID 1108 wrote to memory of 1444	1108	ywots.exe	DllHost.exe
PID 1108 wrote to memory of 1444	1108	ywots.exe	DllHost.exe
PID 1108 wrote to memory of 1444	1108	ywots.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
"C:\Users\Admin\AppData\Local\Temp\f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe
"C:\Users\Admin\AppData\Local\Temp\f2a056db6259ebd853ed4fd83466feb54659f07a76bfaf02201357ae252c11dc.exe"
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Roaming\Zeapwu\ywots.exe
"C:\Users\Admin\AppData\Roaming\Zeapwu\ywots.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Roaming\Zeapwu\ywots.exe
"C:\Users\Admin\AppData\Roaming\Zeapwu\ywots.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp998e6de8.bat"
4⤵
- Deletes itself
PID:1676

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1452

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1444

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1076

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:824

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp998e6de8.bat
Filesize
307B

MD5
807181cff23ab36c39d8d3f413a514f4

SHA1
6c5ca69e75306ac389cb6507dab0fb64f2d9d8eb

SHA256
eb56dc0ad550508356a6d4823704957b923bbee58196dc151a0174672025bcb4

SHA512
4e4e780fad3bc9dc7a7b1cb3e94856bcd1fd2a0d0e8b3cbe4998305ad788adf327a5a7773c108ef0d298fbd5fbf74d082f2567587aaf924786e7e444159c3f82

Download Submit
C:\Users\Admin\AppData\Roaming\Zeapwu\ywots.exe
Filesize
254KB

MD5
f37e4db8cc0fee6ed6c350577ab8ed0c

SHA1
d612d5f3a85ceb2a2de940752cf6b7846c63958f

SHA256
aa86a856be98e6c36e12b10a52032d67568bdb77ae94df0c83122b5befd3673f

SHA512
3245f37e4bb5fc25fca8ce91a4793268754f39b9d34bbd527161d6af94d0ace14ccf6ff4a1811f3b4e346febe4fb6e542481e845094b4eabf270af1251a46a8c

Download Submit
C:\Users\Admin\AppData\Roaming\Zeapwu\ywots.exe
Filesize
254KB

MD5
f37e4db8cc0fee6ed6c350577ab8ed0c

SHA1
d612d5f3a85ceb2a2de940752cf6b7846c63958f

SHA256
aa86a856be98e6c36e12b10a52032d67568bdb77ae94df0c83122b5befd3673f

SHA512
3245f37e4bb5fc25fca8ce91a4793268754f39b9d34bbd527161d6af94d0ace14ccf6ff4a1811f3b4e346febe4fb6e542481e845094b4eabf270af1251a46a8c

Download Submit
C:\Users\Admin\AppData\Roaming\Zeapwu\ywots.exe
Filesize
254KB

MD5
f37e4db8cc0fee6ed6c350577ab8ed0c

SHA1
d612d5f3a85ceb2a2de940752cf6b7846c63958f

SHA256
aa86a856be98e6c36e12b10a52032d67568bdb77ae94df0c83122b5befd3673f

SHA512
3245f37e4bb5fc25fca8ce91a4793268754f39b9d34bbd527161d6af94d0ace14ccf6ff4a1811f3b4e346febe4fb6e542481e845094b4eabf270af1251a46a8c

Download Submit
\Users\Admin\AppData\Roaming\Zeapwu\ywots.exe
Filesize
254KB

MD5
f37e4db8cc0fee6ed6c350577ab8ed0c

SHA1
d612d5f3a85ceb2a2de940752cf6b7846c63958f

SHA256
aa86a856be98e6c36e12b10a52032d67568bdb77ae94df0c83122b5befd3673f

SHA512
3245f37e4bb5fc25fca8ce91a4793268754f39b9d34bbd527161d6af94d0ace14ccf6ff4a1811f3b4e346febe4fb6e542481e845094b4eabf270af1251a46a8c

Download Submit
\Users\Admin\AppData\Roaming\Zeapwu\ywots.exe
Filesize
254KB

MD5
f37e4db8cc0fee6ed6c350577ab8ed0c

SHA1
d612d5f3a85ceb2a2de940752cf6b7846c63958f

SHA256
aa86a856be98e6c36e12b10a52032d67568bdb77ae94df0c83122b5befd3673f

SHA512
3245f37e4bb5fc25fca8ce91a4793268754f39b9d34bbd527161d6af94d0ace14ccf6ff4a1811f3b4e346febe4fb6e542481e845094b4eabf270af1251a46a8c

Download Submit
memory/1108-82-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1108-77-0x000000000042B055-mapping.dmp

Download
memory/1128-88-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/1128-87-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/1128-86-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/1128-85-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/1240-94-0x0000000001AD0000-0x0000000001B0B000-memory.dmp

Filesize
236KB

Download
memory/1240-91-0x0000000001AD0000-0x0000000001B0B000-memory.dmp

Filesize
236KB

Download
memory/1240-93-0x0000000001AD0000-0x0000000001B0B000-memory.dmp

Filesize
236KB

Download
memory/1240-92-0x0000000001AD0000-0x0000000001B0B000-memory.dmp

Filesize
236KB

Download
memory/1276-97-0x0000000002970000-0x00000000029AB000-memory.dmp

Filesize
236KB

Download
memory/1276-98-0x0000000002970000-0x00000000029AB000-memory.dmp

Filesize
236KB

Download
memory/1276-100-0x0000000002970000-0x00000000029AB000-memory.dmp

Filesize
236KB

Download
memory/1276-99-0x0000000002970000-0x00000000029AB000-memory.dmp

Filesize
236KB

Download
memory/1312-103-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-108-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1312-61-0x000000000042B055-mapping.dmp

Download
memory/1312-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1312-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1312-63-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1312-81-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1312-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1312-105-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-106-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1312-104-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-107-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-110-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-57-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1312-114-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-112-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-116-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-118-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-120-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-122-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-124-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-126-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-129-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-138-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1312-136-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1628-67-0x0000000000000000-mapping.dmp

Download
memory/1676-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads