4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0

General

Target

4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
Size

329KB
MD5

3fbd95361e604f32a1f7fc19aa896361
SHA1

7edf9fad5c4a6927eac6d6e83a5b8eeae3095fde
SHA256

4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0
SHA512

86fcd9f548f89e77e9734d0582f3f9351fc2b8b83183638850e1298e0fe6ad22f9b3c3651bf5427f5d31604734bc27370a40ddca7fdcc85e398619044b48aa89
SSDEEP

6144:QqpxvlACym6wGGWFGDwZyoJ3fzBeM6SpktqHQI6mVk8cL3/CzYjsHh:QqjvlA06wLBHAf9eMvHwmVkhL36zYwHh

Score

8^/10

adware discovery exploit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\57f57b11.sys 4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1936 takeown.exe
1676 icacls.exe
1968 takeown.exe
1964 icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\57f57b11.sys	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

pid	process
1936	takeown.exe
1676	icacls.exe
1968	takeown.exe
1964	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\57f57b11\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\57f57b11.sys"	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1988 cmd.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1936 takeown.exe
1676 icacls.exe
1968 takeown.exe
1964 icacls.exe

pid	process
1988	cmd.exe

pid	process
1936	takeown.exe
1676	icacls.exe
1968	takeown.exe
1964	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

Drops file in System32 directory 4 IoCs

Processes:

4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ws2tcpip.dll	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
File created	C:\Windows\SysWOW64\midimap.dll	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

Modifies registry class 4 IoCs

Processes:

4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe"	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "uqbuArfr.dll"	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

pid	process
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

pid process

464
1052 4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

pid	process
464
1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
Token: SeTakeOwnershipPrivilege	1968	takeown.exe
Token: SeTakeOwnershipPrivilege	1936	takeown.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.execmd.execmd.exe

description	pid	process	target process
PID 1052 wrote to memory of 1632	1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe	cmd.exe
PID 1052 wrote to memory of 1632	1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe	cmd.exe
PID 1052 wrote to memory of 1632	1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe	cmd.exe
PID 1052 wrote to memory of 1632	1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe	cmd.exe
PID 1632 wrote to memory of 1968	1632	cmd.exe	takeown.exe
PID 1632 wrote to memory of 1968	1632	cmd.exe	takeown.exe
PID 1632 wrote to memory of 1968	1632	cmd.exe	takeown.exe
PID 1632 wrote to memory of 1968	1632	cmd.exe	takeown.exe
PID 1632 wrote to memory of 1964	1632	cmd.exe	icacls.exe
PID 1632 wrote to memory of 1964	1632	cmd.exe	icacls.exe
PID 1632 wrote to memory of 1964	1632	cmd.exe	icacls.exe
PID 1632 wrote to memory of 1964	1632	cmd.exe	icacls.exe
PID 1052 wrote to memory of 1784	1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe	cmd.exe
PID 1052 wrote to memory of 1784	1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe	cmd.exe
PID 1052 wrote to memory of 1784	1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe	cmd.exe
PID 1052 wrote to memory of 1784	1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe	cmd.exe
PID 1784 wrote to memory of 1936	1784	cmd.exe	takeown.exe
PID 1784 wrote to memory of 1936	1784	cmd.exe	takeown.exe
PID 1784 wrote to memory of 1936	1784	cmd.exe	takeown.exe
PID 1784 wrote to memory of 1936	1784	cmd.exe	takeown.exe
PID 1784 wrote to memory of 1676	1784	cmd.exe	icacls.exe
PID 1784 wrote to memory of 1676	1784	cmd.exe	icacls.exe
PID 1784 wrote to memory of 1676	1784	cmd.exe	icacls.exe
PID 1784 wrote to memory of 1676	1784	cmd.exe	icacls.exe
PID 1052 wrote to memory of 1988	1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe	cmd.exe
PID 1052 wrote to memory of 1988	1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe	cmd.exe
PID 1052 wrote to memory of 1988	1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe	cmd.exe
PID 1052 wrote to memory of 1988	1052	4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe
"C:\Users\Admin\AppData\Local\Temp\4c316c9eb117f7cc8084f04098a5f03469690bc4fe4a449ae369a4b6ec49a9e0.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\midimap.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
- Deletes itself
PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat

Filesize
181B

MD5
ad328b02bd518ed083a6dc0e654d23ca

SHA1
03a6d9920754d51116f183899ed8c5025fc90870

SHA256
0525089c4d0c489545370da46819ef72524257b338bbe7514be77a9ab89b9756

SHA512
cdcb34cac8d9225692b177e7794d14337bf7c11f39e150edfbaf3c3085ac4e97fd891beb2f51840f99fa522cd4b52e6874a0d4a1834e651cb582ef3672498806

Download Submit
memory/1052-55-0x0000000001000000-0x0000000001168000-memory.dmp

Filesize
1.4MB

Download
memory/1052-56-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/1052-57-0x0000000001000000-0x0000000001168000-memory.dmp

Filesize
1.4MB

Download
memory/1052-58-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/1052-66-0x0000000001000000-0x0000000001168000-memory.dmp

Filesize
1.4MB

Download
memory/1052-54-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/1632-59-0x0000000000000000-mapping.dmp

Download
memory/1676-64-0x0000000000000000-mapping.dmp

Download
memory/1784-62-0x0000000000000000-mapping.dmp

Download
memory/1936-63-0x0000000000000000-mapping.dmp

Download
memory/1964-61-0x0000000000000000-mapping.dmp

Download
memory/1968-60-0x0000000000000000-mapping.dmp

Download
memory/1988-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads