9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3

General

Target

9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
Size

861KB
MD5

9905a37faf38c17aead5bab3856a10f6
SHA1

04366e15e42148dca66e53bc96ef9fd7a8f18e44
SHA256

9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3
SHA512

71cf500ef94368ef9c364edf3d9b760676138c17e01db91b9c8f63326a8e34ab47b3b2af8f2d846263bb8f218d06fc42604eceebb0baf721662b1b3c3de35e3c
SSDEEP

24576:dA78/eSlW1c98PkHJQ0hYt3fpQGRP3nNAA8MJw:dlPWL+7hYdxQOnaN

Score

8^/10

discovery exploit spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

nkdv16c.exenkdcv16.exe

pid process

1568 nkdv16c.exe
1260 nkdcv16.exe
Possible privilege escalation attempt 3 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exe

pid process

796 icacls.exe
1900 takeown.exe
1416 icacls.exe

pid	process
1568	nkdv16c.exe
1260	nkdcv16.exe

pid	process
796	icacls.exe
1900	takeown.exe
1416	icacls.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\nkdv16c.exe	upx
\Users\Admin\AppData\Roaming\nkdv16c.exe	upx
C:\Users\Admin\AppData\Roaming\nkdv16c.exe	upx
behavioral1/memory/1568-76-0x0000000000400000-0x00000000004E3000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exenkdv16c.execmd.exe

pid	process
1000	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
1000	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
1568	nkdv16c.exe
580	cmd.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exe

pid process

796 icacls.exe
1900 takeown.exe
1416 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops file in System32 directory 1 IoCs

Processes:

icacls.exe

description ioc process

File created C:\Windows\SysWOW64\fltLib.acl icacls.exe

pid	process
796	icacls.exe
1900	takeown.exe
1416	icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\fltLib.acl	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe

description	pid	process	target process
PID 2044 set thread context of 1000	2044	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}"	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}"	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Google"	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

WMIC.exetakeown.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1792	WMIC.exe
Token: SeSecurityPrivilege	1792	WMIC.exe
Token: SeTakeOwnershipPrivilege	1792	WMIC.exe
Token: SeLoadDriverPrivilege	1792	WMIC.exe
Token: SeSystemProfilePrivilege	1792	WMIC.exe
Token: SeSystemtimePrivilege	1792	WMIC.exe
Token: SeProfSingleProcessPrivilege	1792	WMIC.exe
Token: SeIncBasePriorityPrivilege	1792	WMIC.exe
Token: SeCreatePagefilePrivilege	1792	WMIC.exe
Token: SeBackupPrivilege	1792	WMIC.exe
Token: SeRestorePrivilege	1792	WMIC.exe
Token: SeShutdownPrivilege	1792	WMIC.exe
Token: SeDebugPrivilege	1792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1792	WMIC.exe
Token: SeRemoteShutdownPrivilege	1792	WMIC.exe
Token: SeUndockPrivilege	1792	WMIC.exe
Token: SeManageVolumePrivilege	1792	WMIC.exe
Token: 33	1792	WMIC.exe
Token: 34	1792	WMIC.exe
Token: 35	1792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1792	WMIC.exe
Token: SeSecurityPrivilege	1792	WMIC.exe
Token: SeTakeOwnershipPrivilege	1792	WMIC.exe
Token: SeLoadDriverPrivilege	1792	WMIC.exe
Token: SeSystemProfilePrivilege	1792	WMIC.exe
Token: SeSystemtimePrivilege	1792	WMIC.exe
Token: SeProfSingleProcessPrivilege	1792	WMIC.exe
Token: SeIncBasePriorityPrivilege	1792	WMIC.exe
Token: SeCreatePagefilePrivilege	1792	WMIC.exe
Token: SeBackupPrivilege	1792	WMIC.exe
Token: SeRestorePrivilege	1792	WMIC.exe
Token: SeShutdownPrivilege	1792	WMIC.exe
Token: SeDebugPrivilege	1792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1792	WMIC.exe
Token: SeRemoteShutdownPrivilege	1792	WMIC.exe
Token: SeUndockPrivilege	1792	WMIC.exe
Token: SeManageVolumePrivilege	1792	WMIC.exe
Token: 33	1792	WMIC.exe
Token: 34	1792	WMIC.exe
Token: 35	1792	WMIC.exe
Token: SeTakeOwnershipPrivilege	1900	takeown.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exenkdv16c.execmd.execmd.exe

description	pid	process	target process
PID 2044 wrote to memory of 1000	2044	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 2044 wrote to memory of 1000	2044	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 2044 wrote to memory of 1000	2044	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 2044 wrote to memory of 1000	2044	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 2044 wrote to memory of 1000	2044	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 2044 wrote to memory of 1000	2044	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 2044 wrote to memory of 1000	2044	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 2044 wrote to memory of 1000	2044	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 2044 wrote to memory of 1000	2044	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 1000 wrote to memory of 1568	1000	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	nkdv16c.exe
PID 1000 wrote to memory of 1568	1000	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	nkdv16c.exe
PID 1000 wrote to memory of 1568	1000	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	nkdv16c.exe
PID 1000 wrote to memory of 1568	1000	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	nkdv16c.exe
PID 1568 wrote to memory of 580	1568	nkdv16c.exe	cmd.exe
PID 1568 wrote to memory of 580	1568	nkdv16c.exe	cmd.exe
PID 1568 wrote to memory of 580	1568	nkdv16c.exe	cmd.exe
PID 1568 wrote to memory of 580	1568	nkdv16c.exe	cmd.exe
PID 580 wrote to memory of 892	580	cmd.exe	reg.exe
PID 580 wrote to memory of 892	580	cmd.exe	reg.exe
PID 580 wrote to memory of 892	580	cmd.exe	reg.exe
PID 580 wrote to memory of 892	580	cmd.exe	reg.exe
PID 580 wrote to memory of 1964	580	cmd.exe	reg.exe
PID 580 wrote to memory of 1964	580	cmd.exe	reg.exe
PID 580 wrote to memory of 1964	580	cmd.exe	reg.exe
PID 580 wrote to memory of 1964	580	cmd.exe	reg.exe
PID 580 wrote to memory of 1020	580	cmd.exe	cmd.exe
PID 580 wrote to memory of 1020	580	cmd.exe	cmd.exe
PID 580 wrote to memory of 1020	580	cmd.exe	cmd.exe
PID 580 wrote to memory of 1020	580	cmd.exe	cmd.exe
PID 1020 wrote to memory of 1792	1020	cmd.exe	WMIC.exe
PID 1020 wrote to memory of 1792	1020	cmd.exe	WMIC.exe
PID 1020 wrote to memory of 1792	1020	cmd.exe	WMIC.exe
PID 1020 wrote to memory of 1792	1020	cmd.exe	WMIC.exe
PID 580 wrote to memory of 796	580	cmd.exe	icacls.exe
PID 580 wrote to memory of 796	580	cmd.exe	icacls.exe
PID 580 wrote to memory of 796	580	cmd.exe	icacls.exe
PID 580 wrote to memory of 796	580	cmd.exe	icacls.exe
PID 580 wrote to memory of 1900	580	cmd.exe	takeown.exe
PID 580 wrote to memory of 1900	580	cmd.exe	takeown.exe
PID 580 wrote to memory of 1900	580	cmd.exe	takeown.exe
PID 580 wrote to memory of 1900	580	cmd.exe	takeown.exe
PID 580 wrote to memory of 1416	580	cmd.exe	icacls.exe
PID 580 wrote to memory of 1416	580	cmd.exe	icacls.exe
PID 580 wrote to memory of 1416	580	cmd.exe	icacls.exe
PID 580 wrote to memory of 1416	580	cmd.exe	icacls.exe
PID 580 wrote to memory of 1260	580	cmd.exe	nkdcv16.exe
PID 580 wrote to memory of 1260	580	cmd.exe	nkdcv16.exe
PID 580 wrote to memory of 1260	580	cmd.exe	nkdcv16.exe
PID 580 wrote to memory of 1260	580	cmd.exe	nkdcv16.exe
PID 580 wrote to memory of 1260	580	cmd.exe	nkdcv16.exe
PID 580 wrote to memory of 1260	580	cmd.exe	nkdcv16.exe
PID 580 wrote to memory of 1260	580	cmd.exe	nkdcv16.exe

C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
"C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Roaming\nkdv16c.exe
"C:\Users\Admin\AppData\Roaming\nkdv16c.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BD4.tmp\nkdv16c.cmd""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d 1 /f
5⤵
PID:892

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SfcDisabled /t REG_DWORD /d 1 /f
5⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic Group Where SID="S-1-5-32-544" Get Name /Value
5⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic Group Where SID="S-1-5-32-544" Get Name /Value
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\fltLib.dll /save C:\Windows\System32\fltLib.acl /T
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
PID:796

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\fltLib.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\fltLib.dll /grant Administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1416

C:\Users\Admin\AppData\Local\Temp\nkdcv16.exe
nkdcv16.exe
5⤵
- Executes dropped EXE
PID:1260

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BD4.tmp\nkdv16c.cmd
Filesize
2KB

MD5
a18077e8ca8217c7ac84ac9cadcafb7e

SHA1
1d212d0c6bd6da0c8da8869419711e197a7125f7

SHA256
c7f92ce8222b40a1b9c934809ddcb467354cabbe0fcba3af6a155a808683e2b5

SHA512
352ac2b3c6a6768566296e5fb4186b0e55345717f5422ac2ae656a85f0a4e29ac98d8e63a81a064775cac8bc349f96ccf34b06bddc405fd02e51412d8f7264e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkdcv16.exe
Filesize
823KB

MD5
2c182a7c31678076fc7ace093b2d842b

SHA1
21146f56c76193cdc790f40e63432e9a440d1f7b

SHA256
88f7d722eb65f7aa4b5ec18672eee3042d4db23f574b0057141599ba4205fbfd

SHA512
470503ce01696ca90273647366a7d90b17a14b6bbbd0ec6a32e1061e89252b9e7a53c3ec03bbcbf7d9f7cf182997085383719188d68e842f6ad5760bb00f5caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkdcv16.exe
Filesize
823KB

MD5
2c182a7c31678076fc7ace093b2d842b

SHA1
21146f56c76193cdc790f40e63432e9a440d1f7b

SHA256
88f7d722eb65f7aa4b5ec18672eee3042d4db23f574b0057141599ba4205fbfd

SHA512
470503ce01696ca90273647366a7d90b17a14b6bbbd0ec6a32e1061e89252b9e7a53c3ec03bbcbf7d9f7cf182997085383719188d68e842f6ad5760bb00f5caf

Download Submit
C:\Users\Admin\AppData\Roaming\nkdv16c.exe
Filesize
529KB

MD5
d9977aa232ade22471469a6487b30f99

SHA1
f1c5529d749a6e48c7d13395c92a6eb1c0c9a518

SHA256
2394f0d3bec63a501f9bbcb618ac2981b22d49911fa7a3fdba0766d95dd15e62

SHA512
a430fed6f5434550b36a596d175efbfcc83e52ca4d678781c44d73f1ed2bdaad8e5712cd2c09b790f9eb10b4562afff3ea8f41aebf4d2fddb104df24eacf6995

Download Submit
\Users\Admin\AppData\Local\Temp\BD4.tmp\b2e.dll
Filesize
31KB

MD5
7b860f28be19d4aef761fb991134a556

SHA1
0658a7456d0234dcca598b6ee599fe134d0ecd61

SHA256
57a2586d73188a694944c7da60c78380f82fac46452ed1a31c818ceb93e660bc

SHA512
a0685a25cbc3fff74aa4ad538ade5282242980f07fe1171e01644e0fa98e1ec6adc87b943290983f6fb5070d26fc15d697ae31a1f570e83e504ae1e4508aefa5

Download Submit
\Users\Admin\AppData\Local\Temp\nkdcv16.exe
Filesize
823KB

MD5
2c182a7c31678076fc7ace093b2d842b

SHA1
21146f56c76193cdc790f40e63432e9a440d1f7b

SHA256
88f7d722eb65f7aa4b5ec18672eee3042d4db23f574b0057141599ba4205fbfd

SHA512
470503ce01696ca90273647366a7d90b17a14b6bbbd0ec6a32e1061e89252b9e7a53c3ec03bbcbf7d9f7cf182997085383719188d68e842f6ad5760bb00f5caf

Download Submit
\Users\Admin\AppData\Roaming\nkdv16c.exe
Filesize
529KB

MD5
d9977aa232ade22471469a6487b30f99

SHA1
f1c5529d749a6e48c7d13395c92a6eb1c0c9a518

SHA256
2394f0d3bec63a501f9bbcb618ac2981b22d49911fa7a3fdba0766d95dd15e62

SHA512
a430fed6f5434550b36a596d175efbfcc83e52ca4d678781c44d73f1ed2bdaad8e5712cd2c09b790f9eb10b4562afff3ea8f41aebf4d2fddb104df24eacf6995

Download Submit
\Users\Admin\AppData\Roaming\nkdv16c.exe
Filesize
529KB

MD5
d9977aa232ade22471469a6487b30f99

SHA1
f1c5529d749a6e48c7d13395c92a6eb1c0c9a518

SHA256
2394f0d3bec63a501f9bbcb618ac2981b22d49911fa7a3fdba0766d95dd15e62

SHA512
a430fed6f5434550b36a596d175efbfcc83e52ca4d678781c44d73f1ed2bdaad8e5712cd2c09b790f9eb10b4562afff3ea8f41aebf4d2fddb104df24eacf6995

Download Submit
memory/580-77-0x0000000000000000-mapping.dmp

Download
memory/796-84-0x0000000000000000-mapping.dmp

Download
memory/892-79-0x0000000000000000-mapping.dmp

Download
memory/1000-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1000-61-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1000-66-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1000-54-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1000-75-0x0000000002730000-0x0000000002813000-memory.dmp

Filesize
908KB

Download
memory/1000-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1000-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1000-63-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1000-64-0x0000000000441175-mapping.dmp

Download
memory/1000-80-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1000-57-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1000-59-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1020-82-0x0000000000000000-mapping.dmp

Download
memory/1260-89-0x0000000000000000-mapping.dmp

Download
memory/1416-86-0x0000000000000000-mapping.dmp

Download
memory/1568-70-0x0000000000000000-mapping.dmp

Download
memory/1568-76-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1792-83-0x0000000000000000-mapping.dmp

Download
memory/1900-85-0x0000000000000000-mapping.dmp

Download
memory/1964-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads