68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b

General

Target

68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe
Size

2.6MB
MD5

372138948ec17d399fc82ef919ea65b3
SHA1

f4e1c87117fcc311f54dc33923728fea0c112842
SHA256

68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b
SHA512

dedc989462ba73396c1a3ee88b2ece4583fd4363c7dd6a893781c5ef1af97bd34495ae8fd9889bfd82a4646a4d28e8fb95f24c9a338bb008d0dbc73d14cb266a
SSDEEP

49152:KlG4F99Cdb5sfelNY/KsZDOfIdDZ7TD11p8MXivSE744G+2/YbQKmYoidpXLRwmh:KlG4F9IdmfelNYJDOo17X1f8cGSNZlKZ

Score

8^/10

bootkit persistence upx vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

1main.vmp.exeqttxz.exe

pid process

1484 1main.vmp.exe
540 qttxz.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1484-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-70-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-68-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-74-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-76-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-78-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-80-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-84-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-90-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-88-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-92-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-94-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-96-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-98-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-100-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-102-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-105-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-107-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-109-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-111-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-113-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1484-115-0x00000000025A0000-0x0000000002612000-memory.dmp	upx
behavioral1/memory/1484-116-0x00000000025A0000-0x0000000002612000-memory.dmp	upx

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\1main.vmp.exe	vmprotect
\Users\Admin\AppData\Local\Temp\1main.vmp.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\1main.vmp.exe	vmprotect
behavioral1/memory/1484-62-0x0000000000400000-0x0000000000695000-memory.dmp	vmprotect
behavioral1/memory/1484-64-0x0000000000400000-0x0000000000695000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\1main.vmp.exe	vmprotect
behavioral1/memory/1484-114-0x0000000000400000-0x0000000000695000-memory.dmp	vmprotect
\Users\Admin\AppData\Local\Temp\1main.vmp.exe	vmprotect

Loads dropped DLL 4 IoCs

Processes:

68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe1main.vmp.exe

pid	process
2028	68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe
2028	68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe
2028	68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe
1484	1main.vmp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

1main.vmp.exe

description ioc process

File opened for modification \??\PhysicalDrive0 1main.vmp.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

1main.vmp.exe

pid process

1484 1main.vmp.exe
Drops file in Windows directory 1 IoCs

Processes:

qttxz.exe

description ioc process

File opened for modification C:\Windows\s07120728 qttxz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	1main.vmp.exe

description	ioc	process
File opened for modification	C:\Windows\s07120728	qttxz.exe

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6CEE6750-6C0F-11ED-A843-F2E527DE56F1} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1main.vmp.exe

pid process

1484 1main.vmp.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1main.vmp.exe

description pid process

Token: SeShutdownPrivilege 1484 1main.vmp.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

812 IEXPLORE.EXE

pid	process
464

description	pid	process
Token: SeShutdownPrivilege	1484	1main.vmp.exe

pid	process
812	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

1main.vmp.exeqttxz.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1484	1main.vmp.exe
1484	1main.vmp.exe
540	qttxz.exe
540	qttxz.exe
1484	1main.vmp.exe
1484	1main.vmp.exe
1484	1main.vmp.exe
812	IEXPLORE.EXE
812	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exeqttxz.exeIEXPLORE.EXE

description	pid	process	target process
PID 2028 wrote to memory of 1484	2028	68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe	1main.vmp.exe
PID 2028 wrote to memory of 1484	2028	68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe	1main.vmp.exe
PID 2028 wrote to memory of 1484	2028	68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe	1main.vmp.exe
PID 2028 wrote to memory of 1484	2028	68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe	1main.vmp.exe
PID 2028 wrote to memory of 540	2028	68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe	qttxz.exe
PID 2028 wrote to memory of 540	2028	68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe	qttxz.exe
PID 2028 wrote to memory of 540	2028	68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe	qttxz.exe
PID 2028 wrote to memory of 540	2028	68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe	qttxz.exe
PID 540 wrote to memory of 812	540	qttxz.exe	IEXPLORE.EXE
PID 540 wrote to memory of 812	540	qttxz.exe	IEXPLORE.EXE
PID 540 wrote to memory of 812	540	qttxz.exe	IEXPLORE.EXE
PID 540 wrote to memory of 812	540	qttxz.exe	IEXPLORE.EXE
PID 540 wrote to memory of 656	540	qttxz.exe	cmd.exe
PID 540 wrote to memory of 656	540	qttxz.exe	cmd.exe
PID 540 wrote to memory of 656	540	qttxz.exe	cmd.exe
PID 540 wrote to memory of 656	540	qttxz.exe	cmd.exe
PID 812 wrote to memory of 1948	812	IEXPLORE.EXE	IEXPLORE.EXE
PID 812 wrote to memory of 1948	812	IEXPLORE.EXE	IEXPLORE.EXE
PID 812 wrote to memory of 1948	812	IEXPLORE.EXE	IEXPLORE.EXE
PID 812 wrote to memory of 1948	812	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe
"C:\Users\Admin\AppData\Local\Temp\68cf5832d4b74fcfa10bf18e120fd1f20969817e2c0671336f20569dd882385b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\1main.vmp.exe
"C:\Users\Admin\AppData\Local\Temp\1main.vmp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Users\Admin\AppData\Local\Temp\qttxz.exe
"C:\Users\Admin\AppData\Local\Temp\qttxz.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540

C:\Program Files\Internet Explorer\IEXPLORE.EXE
open http://qttxz.haoyue1688.com/qttxz.htm
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:812 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\qttxz.exe
3⤵
PID:656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1main.vmp.exe
Filesize
2.3MB

MD5
76731dd1633e4e558e496760f87166c6

SHA1
fc99880bf9910ae76df84e8d9e25e35c23db3064

SHA256
fd4af37b1e17c2c6dfe967b428d8f78e3b845083c4a91ec45f0bdf154782b566

SHA512
86e3bab9e49167e05f5bde74651e8568b52cc007840ba9a9d9f731b9cf2ecbf0b175ec096baf9b2838c9397ee54fd4d01367f1e9ca24426917346c0af35c6b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1main.vmp.exe
Filesize
2.3MB

MD5
76731dd1633e4e558e496760f87166c6

SHA1
fc99880bf9910ae76df84e8d9e25e35c23db3064

SHA256
fd4af37b1e17c2c6dfe967b428d8f78e3b845083c4a91ec45f0bdf154782b566

SHA512
86e3bab9e49167e05f5bde74651e8568b52cc007840ba9a9d9f731b9cf2ecbf0b175ec096baf9b2838c9397ee54fd4d01367f1e9ca24426917346c0af35c6b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qttxz.exe
Filesize
2.2MB

MD5
431b7cb4420b03df286d30329c3e5e9d

SHA1
aa7e96f8d2b7f782c3c1b398f4d0829665b164a9

SHA256
d83f014cfc6b36d2547027f2da443aa5c15990b1ba09fdcd0c00470b4e8926f2

SHA512
bd845dc57d14b2dc7c4b10f7bd4ed005704ce65821bba3ab36cea3a89d316b1c457f8870dba39dd8b5ab996b3f2b5efc764b82f00328f5f865a30a5e70398700

Download Submit
C:\Users\Admin\AppData\Local\Temp\qttxz.exe
Filesize
2.2MB

MD5
431b7cb4420b03df286d30329c3e5e9d

SHA1
aa7e96f8d2b7f782c3c1b398f4d0829665b164a9

SHA256
d83f014cfc6b36d2547027f2da443aa5c15990b1ba09fdcd0c00470b4e8926f2

SHA512
bd845dc57d14b2dc7c4b10f7bd4ed005704ce65821bba3ab36cea3a89d316b1c457f8870dba39dd8b5ab996b3f2b5efc764b82f00328f5f865a30a5e70398700

Download Submit
\Users\Admin\AppData\Local\Temp\1main.vmp.exe
Filesize
2.3MB

MD5
76731dd1633e4e558e496760f87166c6

SHA1
fc99880bf9910ae76df84e8d9e25e35c23db3064

SHA256
fd4af37b1e17c2c6dfe967b428d8f78e3b845083c4a91ec45f0bdf154782b566

SHA512
86e3bab9e49167e05f5bde74651e8568b52cc007840ba9a9d9f731b9cf2ecbf0b175ec096baf9b2838c9397ee54fd4d01367f1e9ca24426917346c0af35c6b9e

Download Submit
\Users\Admin\AppData\Local\Temp\1main.vmp.exe
Filesize
2.3MB

MD5
76731dd1633e4e558e496760f87166c6

SHA1
fc99880bf9910ae76df84e8d9e25e35c23db3064

SHA256
fd4af37b1e17c2c6dfe967b428d8f78e3b845083c4a91ec45f0bdf154782b566

SHA512
86e3bab9e49167e05f5bde74651e8568b52cc007840ba9a9d9f731b9cf2ecbf0b175ec096baf9b2838c9397ee54fd4d01367f1e9ca24426917346c0af35c6b9e

Download Submit
\Users\Admin\AppData\Local\Temp\1main.vmp.exe
Filesize
2.3MB

MD5
76731dd1633e4e558e496760f87166c6

SHA1
fc99880bf9910ae76df84e8d9e25e35c23db3064

SHA256
fd4af37b1e17c2c6dfe967b428d8f78e3b845083c4a91ec45f0bdf154782b566

SHA512
86e3bab9e49167e05f5bde74651e8568b52cc007840ba9a9d9f731b9cf2ecbf0b175ec096baf9b2838c9397ee54fd4d01367f1e9ca24426917346c0af35c6b9e

Download Submit
\Users\Admin\AppData\Local\Temp\qttxz.exe
Filesize
2.2MB

MD5
431b7cb4420b03df286d30329c3e5e9d

SHA1
aa7e96f8d2b7f782c3c1b398f4d0829665b164a9

SHA256
d83f014cfc6b36d2547027f2da443aa5c15990b1ba09fdcd0c00470b4e8926f2

SHA512
bd845dc57d14b2dc7c4b10f7bd4ed005704ce65821bba3ab36cea3a89d316b1c457f8870dba39dd8b5ab996b3f2b5efc764b82f00328f5f865a30a5e70398700

Download Submit
memory/540-82-0x0000000000000000-mapping.dmp

Download
memory/656-117-0x0000000000000000-mapping.dmp

Download
memory/1484-94-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-68-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-70-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-64-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/1484-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-96-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-74-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-76-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-78-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-80-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-120-0x0000000004480000-0x0000000004490000-memory.dmp

Filesize
64KB

Download
memory/1484-84-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-92-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-90-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-88-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-119-0x0000000004480000-0x0000000004490000-memory.dmp

Filesize
64KB

Download
memory/1484-62-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/1484-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-98-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-100-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-58-0x0000000000000000-mapping.dmp

Download
memory/1484-102-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-105-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-107-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-109-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-111-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-113-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1484-114-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/1484-115-0x00000000025A0000-0x0000000002612000-memory.dmp

Filesize
456KB

Download
memory/1484-116-0x00000000025A0000-0x0000000002612000-memory.dmp

Filesize
456KB

Download
memory/2028-61-0x0000000002CE0000-0x0000000002F75000-memory.dmp

Filesize
2.6MB

Download
memory/2028-55-0x0000000000310000-0x00000000003BC000-memory.dmp

Filesize
688KB

Download
memory/2028-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/2028-60-0x0000000002CE0000-0x0000000002F75000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads