3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256

Analysis

max time kernel
180s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Size

511KB
MD5

ff09a63248aec978bb702e0f27e139c9
SHA1

4a3a2c6368f195d652c358f8d78c551d57a5f73d
SHA256

3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256
SHA512

5a5a227ee932ceaf447b26e23ba40744c1b9f8e36585e901842819c2fc5fce4681e6c9d28279792d5f1a4d1a885669fea3901d67cb78c79634484058169d288a
SSDEEP

12288:JLSEVPn//QaMQydRQZd5dsYQupsvKiyyvlu:9Zn3mfd4QSyN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windefender.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windefender.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Windefender.exe"	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AD57BEE-0C6D-A6E5-A9EA-FADAA2CC7D0F}	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AD57BEE-0C6D-A6E5-A9EA-FADAA2CC7D0F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Windefender.exe"	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{5AD57BEE-0C6D-A6E5-A9EA-FADAA2CC7D0F}	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{5AD57BEE-0C6D-A6E5-A9EA-FADAA2CC7D0F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Windefender.exe"	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Windefender.exe"	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Windefender.exe"	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 792 set thread context of 5056	792	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	80

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3472	reg.exe
4596	reg.exe
3852	reg.exe
1976	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeCreateTokenPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeAssignPrimaryTokenPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeLockMemoryPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeIncreaseQuotaPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeMachineAccountPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeTcbPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeSecurityPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeTakeOwnershipPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeLoadDriverPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeSystemProfilePrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeSystemtimePrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeProfSingleProcessPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeIncBasePriorityPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeCreatePagefilePrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeCreatePermanentPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeBackupPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeRestorePrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeShutdownPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeDebugPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeAuditPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeSystemEnvironmentPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeChangeNotifyPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeRemoteShutdownPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeUndockPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeSyncAgentPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeEnableDelegationPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeManageVolumePrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeImpersonatePrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeCreateGlobalPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: 31	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: 32	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: 33	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: 34	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: 35	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
Token: SeDebugPrivilege	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 5056	792	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	80
PID 792 wrote to memory of 5056	792	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	80
PID 792 wrote to memory of 5056	792	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	80
PID 792 wrote to memory of 5056	792	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	80
PID 792 wrote to memory of 5056	792	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	80
PID 792 wrote to memory of 5056	792	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	80
PID 792 wrote to memory of 5056	792	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	80
PID 5056 wrote to memory of 4800	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	81
PID 5056 wrote to memory of 4800	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	81
PID 5056 wrote to memory of 4800	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	81
PID 5056 wrote to memory of 4772	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	87
PID 5056 wrote to memory of 4772	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	87
PID 5056 wrote to memory of 4772	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	87
PID 5056 wrote to memory of 4844	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	82
PID 5056 wrote to memory of 4844	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	82
PID 5056 wrote to memory of 4844	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	82
PID 5056 wrote to memory of 4748	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	83
PID 5056 wrote to memory of 4748	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	83
PID 5056 wrote to memory of 4748	5056	3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe	83
PID 4772 wrote to memory of 3472	4772	cmd.exe	89
PID 4772 wrote to memory of 3472	4772	cmd.exe	89
PID 4772 wrote to memory of 3472	4772	cmd.exe	89
PID 4800 wrote to memory of 4596	4800	cmd.exe	90
PID 4800 wrote to memory of 4596	4800	cmd.exe	90
PID 4800 wrote to memory of 4596	4800	cmd.exe	90
PID 4844 wrote to memory of 3852	4844	cmd.exe	91
PID 4844 wrote to memory of 3852	4844	cmd.exe	91
PID 4844 wrote to memory of 3852	4844	cmd.exe	91
PID 4748 wrote to memory of 1976	4748	cmd.exe	92
PID 4748 wrote to memory of 1976	4748	cmd.exe	92
PID 4748 wrote to memory of 1976	4748	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
"C:\Users\Admin\AppData\Local\Temp\3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe
  "C:\Users\Admin\AppData\Local\Temp\3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe"
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windefender.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windefender.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3495e395fd407e93757e7695ce18c7ab2c1c8a2fc7a867bca9ed4b794fb7d256.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1976-146-0x0000000000000000-mapping.dmp

Download
memory/3472-143-0x0000000000000000-mapping.dmp

Download
memory/3852-145-0x0000000000000000-mapping.dmp

Download
memory/4596-144-0x0000000000000000-mapping.dmp

Download
memory/4748-142-0x0000000000000000-mapping.dmp

Download
memory/4772-140-0x0000000000000000-mapping.dmp

Download
memory/4800-139-0x0000000000000000-mapping.dmp

Download
memory/4844-141-0x0000000000000000-mapping.dmp

Download
memory/5056-132-0x0000000000000000-mapping.dmp

Download
memory/5056-133-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5056-135-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5056-147-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads