cd5d681f249663dde55b694693ead4e63ff1d626e5db57975aeaa41e65205c37

General

Target

TwentyApp.exe
Size

3.3MB
MD5

5e2b1df5effbe5123eeff6752af2ca59
SHA1

2e1597b42c40155aa4f56ed708ea4aeb2a5d8698
SHA256

cd5d681f249663dde55b694693ead4e63ff1d626e5db57975aeaa41e65205c37
SHA512

e1ce42dbea6940dbf883ba32f4e934dce2803606a3109369ddfc9cf47e89d82f4f6fcb1854a0745a0e4cb0ad1e095627f35c03a06fa5f42693638039b58698c2
SSDEEP

98304:mZgO4UAJkCxZt3e0Y6qRlp5CNMqMDstLS7cqjAny:mZg3JlB3gXRlpkMqUM6cqjo

Score

9^/10

evasion ransomware themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

TwentyApp.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TwentyApp.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

47 4448 powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TwentyApp.exe

flow	pid	process
47	4448	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TwentyApp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TwentyApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TwentyApp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TwentyApp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	TwentyApp.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1000-137-0x0000000000770000-0x0000000001036000-memory.dmp	themida
behavioral2/memory/1000-138-0x0000000000770000-0x0000000001036000-memory.dmp	themida
behavioral2/memory/1000-210-0x0000000000770000-0x0000000001036000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

TwentyApp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TwentyApp.exe
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\WallPaper = " " reg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

TwentyApp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings TwentyApp.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4108 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

4804 powershell.exe
4448 powershell.exe
4448 powershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TwentyApp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\WallPaper = " "	reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	TwentyApp.exe

pid	process
4108	NOTEPAD.EXE

pid	process
4804	powershell.exe
4448	powershell.exe
4448	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

TwentyApp.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	1000	TwentyApp.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeShutdownPrivilege	3444	powercfg.exe
Token: SeCreatePagefilePrivilege	3444	powercfg.exe
Token: SeShutdownPrivilege	4336	powercfg.exe
Token: SeCreatePagefilePrivilege	4336	powercfg.exe
Token: SeShutdownPrivilege	5068	powercfg.exe
Token: SeCreatePagefilePrivilege	5068	powercfg.exe
Token: SeShutdownPrivilege	3076	powercfg.exe
Token: SeCreatePagefilePrivilege	3076	powercfg.exe
Token: SeShutdownPrivilege	3824	powercfg.exe
Token: SeCreatePagefilePrivilege	3824	powercfg.exe
Token: SeShutdownPrivilege	4996	powercfg.exe
Token: SeCreatePagefilePrivilege	4996	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TwentyApp.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1000 wrote to memory of 4124	1000	TwentyApp.exe	cmd.exe
PID 1000 wrote to memory of 4124	1000	TwentyApp.exe	cmd.exe
PID 1000 wrote to memory of 4124	1000	TwentyApp.exe	cmd.exe
PID 4124 wrote to memory of 4804	4124	cmd.exe	powershell.exe
PID 4124 wrote to memory of 4804	4124	cmd.exe	powershell.exe
PID 4124 wrote to memory of 4804	4124	cmd.exe	powershell.exe
PID 1000 wrote to memory of 5056	1000	TwentyApp.exe	cmd.exe
PID 1000 wrote to memory of 5056	1000	TwentyApp.exe	cmd.exe
PID 1000 wrote to memory of 5056	1000	TwentyApp.exe	cmd.exe
PID 5056 wrote to memory of 4448	5056	cmd.exe	powershell.exe
PID 5056 wrote to memory of 4448	5056	cmd.exe	powershell.exe
PID 5056 wrote to memory of 4448	5056	cmd.exe	powershell.exe
PID 5056 wrote to memory of 3836	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 3836	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 3836	5056	cmd.exe	cmd.exe
PID 3836 wrote to memory of 3444	3836	cmd.exe	powercfg.exe
PID 3836 wrote to memory of 3444	3836	cmd.exe	powercfg.exe
PID 3836 wrote to memory of 3444	3836	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 1156	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 1156	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 1156	5056	cmd.exe	cmd.exe
PID 1156 wrote to memory of 3696	1156	cmd.exe	cmd.exe
PID 1156 wrote to memory of 3696	1156	cmd.exe	cmd.exe
PID 1156 wrote to memory of 3696	1156	cmd.exe	cmd.exe
PID 1156 wrote to memory of 804	1156	cmd.exe	findstr.exe
PID 1156 wrote to memory of 804	1156	cmd.exe	findstr.exe
PID 1156 wrote to memory of 804	1156	cmd.exe	findstr.exe
PID 5056 wrote to memory of 4336	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 4336	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 4336	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 2768	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 2768	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 2768	5056	cmd.exe	cmd.exe
PID 2768 wrote to memory of 5068	2768	cmd.exe	powercfg.exe
PID 2768 wrote to memory of 5068	2768	cmd.exe	powercfg.exe
PID 2768 wrote to memory of 5068	2768	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 3076	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 3076	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 3076	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 3824	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 3824	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 3824	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 4996	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 4996	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 4996	5056	cmd.exe	powercfg.exe
PID 1000 wrote to memory of 380	1000	TwentyApp.exe	cmd.exe
PID 1000 wrote to memory of 380	1000	TwentyApp.exe	cmd.exe
PID 1000 wrote to memory of 380	1000	TwentyApp.exe	cmd.exe
PID 380 wrote to memory of 4468	380	cmd.exe	reg.exe
PID 380 wrote to memory of 4468	380	cmd.exe	reg.exe
PID 380 wrote to memory of 4468	380	cmd.exe	reg.exe
PID 380 wrote to memory of 3360	380	cmd.exe	reg.exe
PID 380 wrote to memory of 3360	380	cmd.exe	reg.exe
PID 380 wrote to memory of 3360	380	cmd.exe	reg.exe
PID 380 wrote to memory of 3736	380	cmd.exe	reg.exe
PID 380 wrote to memory of 3736	380	cmd.exe	reg.exe
PID 380 wrote to memory of 3736	380	cmd.exe	reg.exe
PID 380 wrote to memory of 1564	380	cmd.exe	reg.exe
PID 380 wrote to memory of 1564	380	cmd.exe	reg.exe
PID 380 wrote to memory of 1564	380	cmd.exe	reg.exe
PID 380 wrote to memory of 2744	380	cmd.exe	reg.exe
PID 380 wrote to memory of 2744	380	cmd.exe	reg.exe
PID 380 wrote to memory of 2744	380	cmd.exe	reg.exe
PID 380 wrote to memory of 2076	380	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\TwentyApp.exe
"C:\Users\Admin\AppData\Local\Temp\TwentyApp.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C PowerShell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempTest.ps1"
2⤵
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempTest.ps1"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\tempFile.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1012060155208282172/1075934313662644224/BitsumHighestPerformance.pow' -OutFile 'C:\Users\Admin\AppData\Local\Temp\powerplan.pow'
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powercfg import C:\Users\Admin\AppData\Local\Temp\powerplan.pow
3⤵
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\powercfg.exe
powercfg import C:\Users\Admin\AppData\Local\Temp\powerplan.pow
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo Imported Power Scheme Successfully. GUID: 25d9e331-57a9-4133-a3b8-08736d1a1459| findstr /C:"GUID:"
3⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Imported Power Scheme Successfully. GUID: 25d9e331-57a9-4133-a3b8-08736d1a1459"
4⤵
PID:3696

C:\Windows\SysWOW64\findstr.exe
findstr /C:"GUID:"
4⤵
PID:804

C:\Windows\SysWOW64\powercfg.exe
powercfg setactive 25d9e331-57a9-4133-a3b8-08736d1a1459
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powercfg /l
3⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\powercfg.exe
powercfg /l
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\SysWOW64\powercfg.exe
powercfg /delete 381b4222-f694-41f0-9685-ff5bb260df2e
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\SysWOW64\powercfg.exe
powercfg /delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\powercfg.exe
powercfg /delete a1841308-3541-4fab-bc81-f71556f20b4a
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\tempFile.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t REG_DWORD /d 0 /f
3⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "SystemUsesLightTheme" /t REG_DWORD /d 0 /f
3⤵
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v WallPaper /t REG_SZ /d " " /f
3⤵
- Sets desktop wallpaper using registry
PID:3736

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Colors" /v "Background" /t REG_SZ /d "0 0 0" /f
3⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers" /v BackgroundType /t REG_DWORD /d 1 /f
3⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers" /v CurrentWallpaperPath /t REG_SZ /d "" /f
3⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f
3⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
3⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 2 /f
3⤵
PID:3368

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Control Panel\Desktop" /v "FontSmoothing" /t REG_DWORD /d 2 /f
3⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Control Panel\Desktop" /v "DragFullWindows" /t REG_DWORD /d 1 /f
3⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 1 /f
3⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 1 /f
3⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarSmallIcons" /t REG_DWORD /d 1 /f
3⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d 0 /f
3⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCortanaButton" /t REG_DWORD /d 0 /f
3⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "OnboardUnpinCortana" /t REG_DWORD /d 1 /f
3⤵
PID:4920

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\gracias.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:4108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
d0b07570db70ebeac52efd9130a16373

SHA1
27f6af7bdba4b097c09b10b75c417282c8bb8976

SHA256
3fe45c78c812536fe56c3eeebe7d4621e65cc3a95119cedf9bf316f72eed71c7

SHA512
fb7a161a9e3ffec85a60f46ab7d09a1281d666bbeeb0148d2fda5ec1bdee78682349e418cc8afc39dfdbe9e4fcec207c32d6f70db01e6008ae3c86394e354930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
728B

MD5
9e12a27aa47b0f20bc931e9fb12e5409

SHA1
1579210717006ac5b4752b7cc2bc29f36c346bee

SHA256
965ecb0197f26183dd7841bd03856fa9fa769d1c4123f6990a2822e5b15bd265

SHA512
f8e7e9fb38555278a4145fe41c0ead54b72aed2759344f57acce95b531eaee40e7af2910d2dde25941a7be3729eea8ecf2e10450dd26da62bf92810d0df293c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x3dpmmep.3yb.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gracias.txt
Filesize
197B

MD5
f09d5847eccbfdd8a2a04df5ce0470aa

SHA1
e59cb73b953f47ecf57551e640d5a10db5e244b9

SHA256
66bdeebf85948d9e558a4a28d91bd9fc5a8d146a3f9ec17f913955788db2e61b

SHA512
4165aa01640d5660d3def9b287bfde30a534341c217d5b8adb754bb2e10ee017ae14fbb73e5e43025dde987ad18cf4b893529d279be0820be759d70c8fe3407f

Download Submit
C:\Users\Admin\AppData\Local\Temp\powerplan.pow
Filesize
8KB

MD5
0eca9fdab5673f84347227601d6fab5f

SHA1
579249ed234156595e735e216ff86395cdea0eeb

SHA256
f8bdd77720170e6521fa0ff533cda9e4da8342d16f858159e74e8216bc22a306

SHA512
04a3e6fe9cb624647e373caf3e850b95b288153d2df3451ec4ec8cc2486ccc5c2597400b0b548760fd22c2fc76a72b4111754a7de957d0bfbcc14ec34542bd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempFile.bat
Filesize
898B

MD5
f2976acd4e0dfcbff62b3994ad0182a6

SHA1
4b0f299d9e000a8629d7b4089f3460ef7458bbc0

SHA256
b7ea575b6660463b4a60b495d66e4ccd9d25cca60dab20eaecb424f2ab4d72f2

SHA512
b5369670e5b9abc350c958475745e5cd9bc45fe3355630945368b5a0fca6e264ba58c076271807998ea487c9cf50489fa87c710286ef9e95b6c49a9d0a453126

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempFile.bat
Filesize
1KB

MD5
25b440d616b134fe36afd7f3953ee805

SHA1
564c7c6d615bcd8df8872b878cffd4d66a758ea5

SHA256
c9117710b529e1af1b5d5a0b191986a681f0fe72c6f24c96381d022b573d6e55

SHA512
c2f96c60fb71538f6e74a13842e3f7f1152d320d4b8d6da6fae74b26c71b3fd1e1eec110345ec197bdb01c36676d966d3ef6bdd4f4c917152e67b2a77e33e3f3

Download Submit
memory/1000-145-0x0000000000770000-0x0000000001036000-memory.dmp

Filesize
8.8MB

Download
memory/1000-142-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/1000-146-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/1000-147-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/1000-137-0x0000000000770000-0x0000000001036000-memory.dmp

Filesize
8.8MB

Download
memory/1000-210-0x0000000000770000-0x0000000001036000-memory.dmp

Filesize
8.8MB

Download
memory/1000-138-0x0000000000770000-0x0000000001036000-memory.dmp

Filesize
8.8MB

Download
memory/1000-139-0x0000000006050000-0x00000000065F4000-memory.dmp

Filesize
5.6MB

Download
memory/1000-133-0x0000000000770000-0x0000000001036000-memory.dmp

Filesize
8.8MB

Download
memory/1000-143-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/1000-140-0x0000000005B40000-0x0000000005BD2000-memory.dmp

Filesize
584KB

Download
memory/1000-141-0x0000000005B10000-0x0000000005B1A000-memory.dmp

Filesize
40KB

Download
memory/4448-195-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/4448-181-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/4448-182-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/4448-193-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/4448-194-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/4448-196-0x0000000006630000-0x000000000664A000-memory.dmp

Filesize
104KB

Download
memory/4804-169-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/4804-168-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/4804-162-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/4804-161-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/4804-160-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/4804-159-0x00000000056C0000-0x0000000005CE8000-memory.dmp

Filesize
6.2MB

Download
memory/4804-158-0x0000000002AE0000-0x0000000002B16000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads