faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93

General

Target

faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Size

849KB
MD5

bf350cf4757a520127a3e6de80b76754
SHA1

a74f40b3ad24b2c48b32c0fb76a57dec2c212ce9
SHA256

faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93
SHA512

b5eded250ae4fa4edca09b6a9512dc5eb302fa1f17e89de4116fac032207437b5069bac621016ddb7b0410fae01f3bc8086720044840d9e44adadfcb63df9894
SSDEEP

24576:Ws7TqIBdD9hOxSxo0k+HqYkQ0TLRhbqMS8F:Ws7TVOl0k+kVRhGm

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\SunJava\\JavaUpdata.exe"	reg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe -rundll32 /SYSTEM32 \"C:\\Windows\\System32\\taskmgr.exe\" \"C:\\Program Files\\Microsoft\\Windows\""	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooy3y = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe

description	pid	process	target process
PID 1384 set thread context of 1712	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe

pid	process
1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe

description	pid	process
Token: SeDebugPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeIncreaseQuotaPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeSecurityPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeTakeOwnershipPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeLoadDriverPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeSystemProfilePrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeSystemtimePrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeProfSingleProcessPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeIncBasePriorityPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeCreatePagefilePrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeBackupPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeRestorePrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeShutdownPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeDebugPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeSystemEnvironmentPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeRemoteShutdownPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeUndockPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeManageVolumePrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: 33	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: 34	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: 35	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeIncreaseQuotaPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeSecurityPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeTakeOwnershipPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeLoadDriverPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeSystemProfilePrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeSystemtimePrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeProfSingleProcessPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeIncBasePriorityPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeCreatePagefilePrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeBackupPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeRestorePrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeShutdownPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeDebugPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeSystemEnvironmentPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeRemoteShutdownPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeUndockPrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: SeManageVolumePrivilege	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: 33	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: 34	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Token: 35	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1680 DllHost.exe

pid	process
1680	DllHost.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.execmd.exefaeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe

description	pid	process	target process
PID 1384 wrote to memory of 1712	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
PID 1384 wrote to memory of 1712	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
PID 1384 wrote to memory of 1712	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
PID 1384 wrote to memory of 1712	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
PID 1384 wrote to memory of 1712	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
PID 1384 wrote to memory of 1712	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
PID 1384 wrote to memory of 1712	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
PID 1384 wrote to memory of 1712	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
PID 1384 wrote to memory of 1712	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
PID 1384 wrote to memory of 1524	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	cmd.exe
PID 1384 wrote to memory of 1524	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	cmd.exe
PID 1384 wrote to memory of 1524	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	cmd.exe
PID 1384 wrote to memory of 1524	1384	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	cmd.exe
PID 1524 wrote to memory of 432	1524	cmd.exe	reg.exe
PID 1524 wrote to memory of 432	1524	cmd.exe	reg.exe
PID 1524 wrote to memory of 432	1524	cmd.exe	reg.exe
PID 1524 wrote to memory of 432	1524	cmd.exe	reg.exe
PID 1712 wrote to memory of 796	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	svchost.exe
PID 1712 wrote to memory of 260	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	smss.exe
PID 1712 wrote to memory of 1680	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	DllHost.exe
PID 1712 wrote to memory of 608	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	wmiprvse.exe
PID 1712 wrote to memory of 868	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	svchost.exe
PID 1712 wrote to memory of 332	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	csrss.exe
PID 1712 wrote to memory of 836	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	svchost.exe
PID 1712 wrote to memory of 416	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	winlogon.exe
PID 1712 wrote to memory of 1216	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	WMIADAP.EXE
PID 1712 wrote to memory of 1748	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	svchost.exe
PID 1712 wrote to memory of 1120	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	taskhost.exe
PID 1712 wrote to memory of 580	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	svchost.exe
PID 1712 wrote to memory of 300	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	svchost.exe
PID 1712 wrote to memory of 488	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	lsm.exe
PID 1712 wrote to memory of 480	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	lsass.exe
PID 1712 wrote to memory of 656	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	svchost.exe
PID 1712 wrote to memory of 740	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	svchost.exe
PID 1712 wrote to memory of 1184	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	Dwm.exe
PID 1712 wrote to memory of 288	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	spoolsv.exe
PID 1712 wrote to memory of 376	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	csrss.exe
PID 1712 wrote to memory of 460	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	services.exe
PID 1712 wrote to memory of 368	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	wininit.exe
PID 1712 wrote to memory of 1044	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	svchost.exe
PID 1712 wrote to memory of 1964	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	sppsvc.exe
PID 1712 wrote to memory of 1248	1712	faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe	Explorer.EXE

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1748

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1964

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1044

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:580

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
3⤵
- Suspicious use of FindShellTrayWindow
PID:1680

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
3⤵
PID:608

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1216

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
"C:\Users\Admin\AppData\Local\Temp\faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
"C:\Users\Admin\AppData\Local\Temp\faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\SunJava\JavaUpdata.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\SunJava\JavaUpdata.exe"
4⤵
- Modifies WinLogon for persistence
PID:432

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\715.jpg
Filesize
473KB

MD5
25432475a9606bf2590a93e35609efb2

SHA1
01bb0174cd76489a415506a72eb8ab10dfee0919

SHA256
a22e372d4e8b17cb4e5e857bf860001851374f4e13707fa034c1c7fe8b7fdc57

SHA512
aa9bd637758274af06f7f7a5829acca5877618afd34690e34128ec8012a32e7366d7d7032cc954c55757099ce8e2ef9f6339c9dd73c4f1beec7d7c80a5cee184

Download Submit
memory/432-73-0x0000000000000000-mapping.dmp

Download
memory/1384-55-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/1384-56-0x0000000000C75000-0x0000000000C86000-memory.dmp

Filesize
68KB

Download
memory/1384-57-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/1384-54-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1384-75-0x0000000000C75000-0x0000000000C86000-memory.dmp

Filesize
68KB

Download
memory/1384-74-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-72-0x0000000000000000-mapping.dmp

Download
memory/1712-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1712-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1712-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1712-66-0x00000000004324DE-mapping.dmp

Download
memory/1712-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1712-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1712-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1712-76-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-59-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1712-78-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-79-0x0000000000B26000-0x0000000000B37000-memory.dmp

Filesize
68KB

Download
memory/1712-80-0x0000000000B26000-0x0000000000B37000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads