a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b

General

Target

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Size

132KB
MD5

52c46d7818f7ebe5d5ce91a9fec8f500
SHA1

21c8805de8f489c1a857023992f941cc34a8a983
SHA256

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b
SHA512

91a04c5da0692406b69bb17255b375d34fc44236d0d8971259ffbecd2085a6c9a1cb738f59cc5417deeca7d88684142f3bc830e0901ddd04c269e466b86101c2
SSDEEP

1536:5CwpMY9Uz6EA3lp4IN+1yVKr2zqB5If9:4Y6fA39N7uBk

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\lssas.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lssas.exe:*:Enabled:Windows Defense"	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MicrosoftCorp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lssas.exe"	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe

Executes dropped EXE 2 IoCs

Processes:

lssas.exelssas.exe

pid process

324 lssas.exe
1000 lssas.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1920 netsh.exe

pid	process
324	lssas.exe
1000	lssas.exe

pid	process
1920	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1116-57-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1116-62-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1116-63-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1116-79-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1000-89-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1000-90-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exelssas.exe

pid	process
1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
324	lssas.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lssas.exe"	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lssas.exe"	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exelssas.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	lssas.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	lssas.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exelssas.exe

description	pid	process	target process
PID 968 set thread context of 1116	968	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 324 set thread context of 1000	324	lssas.exe	lssas.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

824 taskkill.exe
604 taskkill.exe
1352 taskkill.exe
692 taskkill.exe

pid	process
824	taskkill.exe
604	taskkill.exe
1352	taskkill.exe
692	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exelssas.exe

pid process

968 a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
324 lssas.exe

pid	process
968	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
324	lssas.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exea6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exelssas.exe

description	pid	process	target process
PID 968 wrote to memory of 1116	968	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 968 wrote to memory of 1116	968	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 968 wrote to memory of 1116	968	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 968 wrote to memory of 1116	968	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 968 wrote to memory of 1116	968	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 968 wrote to memory of 1116	968	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 968 wrote to memory of 1116	968	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 968 wrote to memory of 1116	968	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 968 wrote to memory of 1116	968	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 1116 wrote to memory of 1920	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	netsh.exe
PID 1116 wrote to memory of 1920	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	netsh.exe
PID 1116 wrote to memory of 1920	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	netsh.exe
PID 1116 wrote to memory of 1920	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	netsh.exe
PID 1116 wrote to memory of 692	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 692	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 692	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 692	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 824	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 824	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 824	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 824	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 604	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 604	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 604	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 604	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 1352	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 1352	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 1352	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 1352	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1116 wrote to memory of 324	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	lssas.exe
PID 1116 wrote to memory of 324	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	lssas.exe
PID 1116 wrote to memory of 324	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	lssas.exe
PID 1116 wrote to memory of 324	1116	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	lssas.exe
PID 324 wrote to memory of 1000	324	lssas.exe	lssas.exe
PID 324 wrote to memory of 1000	324	lssas.exe	lssas.exe
PID 324 wrote to memory of 1000	324	lssas.exe	lssas.exe
PID 324 wrote to memory of 1000	324	lssas.exe	lssas.exe
PID 324 wrote to memory of 1000	324	lssas.exe	lssas.exe
PID 324 wrote to memory of 1000	324	lssas.exe	lssas.exe
PID 324 wrote to memory of 1000	324	lssas.exe	lssas.exe
PID 324 wrote to memory of 1000	324	lssas.exe	lssas.exe
PID 324 wrote to memory of 1000	324	lssas.exe	lssas.exe

C:\Users\Admin\AppData\Local\Temp\a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
"C:\Users\Admin\AppData\Local\Temp\a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
C:\Users\Admin\AppData\Local\Temp\a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
2⤵
- Modifies firewall policy service
- Adds policy Run key to start application
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Users\Admin\AppData\Local\Temp\lssas.exe WindowsSafety ENABLE
3⤵
- Modifies Windows Firewall
PID:1920

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM winlog.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM svchost.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM csrss.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM lsass.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Users\Admin\AppData\Local\Temp\lssas.exe
"C:\Users\Admin\AppData\Local\Temp\lssas.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Local\Temp\lssas.exe
C:\Users\Admin\AppData\Local\Temp\lssas.exe
4⤵
- Executes dropped EXE
PID:1000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lssas.exe
Filesize
132KB

MD5
52c46d7818f7ebe5d5ce91a9fec8f500

SHA1
21c8805de8f489c1a857023992f941cc34a8a983

SHA256
a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b

SHA512
91a04c5da0692406b69bb17255b375d34fc44236d0d8971259ffbecd2085a6c9a1cb738f59cc5417deeca7d88684142f3bc830e0901ddd04c269e466b86101c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lssas.exe
Filesize
132KB

MD5
52c46d7818f7ebe5d5ce91a9fec8f500

SHA1
21c8805de8f489c1a857023992f941cc34a8a983

SHA256
a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b

SHA512
91a04c5da0692406b69bb17255b375d34fc44236d0d8971259ffbecd2085a6c9a1cb738f59cc5417deeca7d88684142f3bc830e0901ddd04c269e466b86101c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lssas.exe
Filesize
132KB

MD5
52c46d7818f7ebe5d5ce91a9fec8f500

SHA1
21c8805de8f489c1a857023992f941cc34a8a983

SHA256
a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b

SHA512
91a04c5da0692406b69bb17255b375d34fc44236d0d8971259ffbecd2085a6c9a1cb738f59cc5417deeca7d88684142f3bc830e0901ddd04c269e466b86101c2

Download Submit
\Users\Admin\AppData\Local\Temp\lssas.exe
Filesize
132KB

MD5
52c46d7818f7ebe5d5ce91a9fec8f500

SHA1
21c8805de8f489c1a857023992f941cc34a8a983

SHA256
a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b

SHA512
91a04c5da0692406b69bb17255b375d34fc44236d0d8971259ffbecd2085a6c9a1cb738f59cc5417deeca7d88684142f3bc830e0901ddd04c269e466b86101c2

Download Submit
\Users\Admin\AppData\Local\Temp\lssas.exe
Filesize
132KB

MD5
52c46d7818f7ebe5d5ce91a9fec8f500

SHA1
21c8805de8f489c1a857023992f941cc34a8a983

SHA256
a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b

SHA512
91a04c5da0692406b69bb17255b375d34fc44236d0d8971259ffbecd2085a6c9a1cb738f59cc5417deeca7d88684142f3bc830e0901ddd04c269e466b86101c2

Download Submit
\Users\Admin\AppData\Local\Temp\lssas.exe
Filesize
132KB

MD5
52c46d7818f7ebe5d5ce91a9fec8f500

SHA1
21c8805de8f489c1a857023992f941cc34a8a983

SHA256
a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b

SHA512
91a04c5da0692406b69bb17255b375d34fc44236d0d8971259ffbecd2085a6c9a1cb738f59cc5417deeca7d88684142f3bc830e0901ddd04c269e466b86101c2

Download Submit
memory/324-86-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/324-77-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/324-71-0x0000000000000000-mapping.dmp

Download
memory/604-67-0x0000000000000000-mapping.dmp

Download
memory/692-65-0x0000000000000000-mapping.dmp

Download
memory/824-66-0x0000000000000000-mapping.dmp

Download
memory/968-61-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/968-56-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1000-89-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1000-83-0x0000000000411360-mapping.dmp

Download
memory/1000-90-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1116-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1116-75-0x0000000000220000-0x0000000000242000-memory.dmp

Filesize
136KB

Download
memory/1116-79-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1116-76-0x0000000000220000-0x0000000000242000-memory.dmp

Filesize
136KB

Download
memory/1116-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1116-60-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1116-58-0x0000000000411360-mapping.dmp

Download
memory/1116-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1352-68-0x0000000000000000-mapping.dmp

Download
memory/1920-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads