ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540

General

Target

ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe
Size

959KB
MD5

98343a039500a0d00800e290a9a42b8c
SHA1

1853de66d372a97d6cf65515a5c0bfa78c965050
SHA256

ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540
SHA512

1198b41b8d5d9b7e80a3a48f48f659356ad0fb5b490fff10cc34fb692dc42cfd644ec3feeee564cce4bb32e1a002e91c687d7bd3fce8bad36e5eb64eeddec1b8
SSDEEP

24576:KzKXpMJj7owjD49Nkb+R0WLnAI/jLQjMhK6h3xU4+Gud0z:P+JfoE4DTLnAI7L3hK6h3+BGudI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
744	defender.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1884-54-0x0000000000400000-0x00000000006FA000-memory.dmp	upx
behavioral1/files/0x00080000000136cd-58.dat	upx
behavioral1/files/0x00080000000136cd-59.dat	upx
behavioral1/files/0x00080000000136cd-61.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1884	ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe
1884	ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Malware Protection = "C:\\ProgramData\\defender.exe"	defender.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	defender.exe
File opened (read-only)	\??\J:	defender.exe
File opened (read-only)	\??\M:	defender.exe
File opened (read-only)	\??\O:	defender.exe
File opened (read-only)	\??\Y:	defender.exe
File opened (read-only)	\??\G:	defender.exe
File opened (read-only)	\??\H:	defender.exe
File opened (read-only)	\??\R:	defender.exe
File opened (read-only)	\??\U:	defender.exe
File opened (read-only)	\??\X:	defender.exe
File opened (read-only)	\??\K:	defender.exe
File opened (read-only)	\??\Q:	defender.exe
File opened (read-only)	\??\S:	defender.exe
File opened (read-only)	\??\Z:	defender.exe
File opened (read-only)	\??\E:	defender.exe
File opened (read-only)	\??\L:	defender.exe
File opened (read-only)	\??\P:	defender.exe
File opened (read-only)	\??\T:	defender.exe
File opened (read-only)	\??\V:	defender.exe
File opened (read-only)	\??\W:	defender.exe
File opened (read-only)	\??\F:	defender.exe
File opened (read-only)	\??\N:	defender.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1884	ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe
744	defender.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
744	defender.exe
744	defender.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 744	1884	ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe	28
PID 1884 wrote to memory of 744	1884	ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe	28
PID 1884 wrote to memory of 744	1884	ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe	28
PID 1884 wrote to memory of 744	1884	ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe	28

C:\Users\Admin\AppData\Local\Temp\ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe
"C:\Users\Admin\AppData\Local\Temp\ecfad45377e38170d98bad0be9ff66c0fb8a13a234dced2232eeaad7c605b540.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884
- C:\ProgramData\defender.exe
  C:\ProgramData\defender.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\defender.exe

Filesize
861KB

MD5
821acc55c90dfe49f65bbb2c21a94017

SHA1
aa3a85b24b14fe04cf9e40e7a4daa51adc3b74f2

SHA256
139b0dce8b0ad9af54d8e08313a3f42aa2c9bb8b0979b607a695f43c6581b91d

SHA512
dfdb66a7fce2fdfaff161546a7b41a30dd869729c265098b1711aadc02a4a42c6d5483dec406723ae7bda68199eac2c76fb6d217dfffcbcb3fd50daeab708239

Download Submit
\ProgramData\defender.exe

Filesize
861KB

MD5
821acc55c90dfe49f65bbb2c21a94017

SHA1
aa3a85b24b14fe04cf9e40e7a4daa51adc3b74f2

SHA256
139b0dce8b0ad9af54d8e08313a3f42aa2c9bb8b0979b607a695f43c6581b91d

SHA512
dfdb66a7fce2fdfaff161546a7b41a30dd869729c265098b1711aadc02a4a42c6d5483dec406723ae7bda68199eac2c76fb6d217dfffcbcb3fd50daeab708239

Download Submit
\ProgramData\defender.exe

Filesize
861KB

MD5
821acc55c90dfe49f65bbb2c21a94017

SHA1
aa3a85b24b14fe04cf9e40e7a4daa51adc3b74f2

SHA256
139b0dce8b0ad9af54d8e08313a3f42aa2c9bb8b0979b607a695f43c6581b91d

SHA512
dfdb66a7fce2fdfaff161546a7b41a30dd869729c265098b1711aadc02a4a42c6d5483dec406723ae7bda68199eac2c76fb6d217dfffcbcb3fd50daeab708239

Download Submit
memory/744-65-0x0000000000400000-0x0000000000A1F000-memory.dmp

Filesize
6.1MB

Download
memory/744-74-0x0000000000400000-0x0000000000A1F000-memory.dmp

Filesize
6.1MB

Download
memory/744-73-0x0000000000400000-0x0000000000A1F000-memory.dmp

Filesize
6.1MB

Download
memory/744-71-0x0000000000400000-0x0000000000A1F000-memory.dmp

Filesize
6.1MB

Download
memory/744-70-0x0000000000400000-0x0000000000A1F000-memory.dmp

Filesize
6.1MB

Download
memory/744-66-0x0000000002490000-0x0000000002494000-memory.dmp

Filesize
16KB

Download
memory/1884-63-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/1884-64-0x0000000002ED0000-0x00000000034EF000-memory.dmp

Filesize
6.1MB

Download
memory/1884-67-0x0000000000400000-0x00000000006FA000-memory.dmp

Filesize
3.0MB

Download
memory/1884-68-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/1884-69-0x0000000002ED0000-0x00000000034EF000-memory.dmp

Filesize
6.1MB

Download
memory/1884-54-0x0000000000400000-0x00000000006FA000-memory.dmp

Filesize
3.0MB

Download
memory/1884-57-0x00000000002B0000-0x00000000002B4000-memory.dmp

Filesize
16KB

Download
memory/1884-56-0x0000000000400000-0x00000000006FA000-memory.dmp

Filesize
3.0MB

Download
memory/1884-55-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads