f04d11a1c4811492e397bc151c65ea1958eab6cbcf279ece7bd59160bfbea3d8

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

Malware Config

Signatures

Detects BazaLoader malware 9 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral1/memory/2288-0-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
\Windows\system\svchost.exe	BazaLoader
\Windows\system\svchost.exe	BazaLoader
C:\Windows\system\svchost.exe	BazaLoader
C:\Windows\system\svchost.exe	BazaLoader
behavioral1/memory/2288-33-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral1/memory/1872-34-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral1/memory/2288-35-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader
behavioral1/memory/1872-77-0x0000000140000000-0x0000000140636000-memory.dmp	BazaLoader

Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

384 netsh.exe
2880 netsh.exe
1324 netsh.exe
1380 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1872 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

svchost_dump_SCY - Copy.exe

pid process

2288 svchost_dump_SCY - Copy.exe
2288 svchost_dump_SCY - Copy.exe
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 88.198.207.48

pid	process
384	netsh.exe
2880	netsh.exe
1324	netsh.exe
1380	netsh.exe

pid	process
1872	svchost.exe

pid	process
2288	svchost_dump_SCY - Copy.exe
2288	svchost_dump_SCY - Copy.exe

description	ioc
Destination IP	88.198.207.48

Drops file in Windows directory 4 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2812 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe

pid process

2864 powershell.exe
1132 powershell.exe
2288 svchost_dump_SCY - Copy.exe
1756 powershell.exe
1968 powershell.exe

pid	process
2812	schtasks.exe

pid	process
2864	powershell.exe
1132	powershell.exe
2288	svchost_dump_SCY - Copy.exe
1756	powershell.exe
1968	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2448	WMIC.exe
Token: SeSecurityPrivilege	2448	WMIC.exe
Token: SeTakeOwnershipPrivilege	2448	WMIC.exe
Token: SeLoadDriverPrivilege	2448	WMIC.exe
Token: SeSystemProfilePrivilege	2448	WMIC.exe
Token: SeSystemtimePrivilege	2448	WMIC.exe
Token: SeProfSingleProcessPrivilege	2448	WMIC.exe
Token: SeIncBasePriorityPrivilege	2448	WMIC.exe
Token: SeCreatePagefilePrivilege	2448	WMIC.exe
Token: SeBackupPrivilege	2448	WMIC.exe
Token: SeRestorePrivilege	2448	WMIC.exe
Token: SeShutdownPrivilege	2448	WMIC.exe
Token: SeDebugPrivilege	2448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2448	WMIC.exe
Token: SeRemoteShutdownPrivilege	2448	WMIC.exe
Token: SeUndockPrivilege	2448	WMIC.exe
Token: SeManageVolumePrivilege	2448	WMIC.exe
Token: 33	2448	WMIC.exe
Token: 34	2448	WMIC.exe
Token: 35	2448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2448	WMIC.exe
Token: SeSecurityPrivilege	2448	WMIC.exe
Token: SeTakeOwnershipPrivilege	2448	WMIC.exe
Token: SeLoadDriverPrivilege	2448	WMIC.exe
Token: SeSystemProfilePrivilege	2448	WMIC.exe
Token: SeSystemtimePrivilege	2448	WMIC.exe
Token: SeProfSingleProcessPrivilege	2448	WMIC.exe
Token: SeIncBasePriorityPrivilege	2448	WMIC.exe
Token: SeCreatePagefilePrivilege	2448	WMIC.exe
Token: SeBackupPrivilege	2448	WMIC.exe
Token: SeRestorePrivilege	2448	WMIC.exe
Token: SeShutdownPrivilege	2448	WMIC.exe
Token: SeDebugPrivilege	2448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2448	WMIC.exe
Token: SeRemoteShutdownPrivilege	2448	WMIC.exe
Token: SeUndockPrivilege	2448	WMIC.exe
Token: SeManageVolumePrivilege	2448	WMIC.exe
Token: 33	2448	WMIC.exe
Token: 34	2448	WMIC.exe
Token: 35	2448	WMIC.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe
Token: SeTakeOwnershipPrivilege	1904	WMIC.exe
Token: SeLoadDriverPrivilege	1904	WMIC.exe
Token: SeSystemProfilePrivilege	1904	WMIC.exe
Token: SeSystemtimePrivilege	1904	WMIC.exe
Token: SeProfSingleProcessPrivilege	1904	WMIC.exe
Token: SeIncBasePriorityPrivilege	1904	WMIC.exe
Token: SeCreatePagefilePrivilege	1904	WMIC.exe
Token: SeBackupPrivilege	1904	WMIC.exe
Token: SeRestorePrivilege	1904	WMIC.exe
Token: SeShutdownPrivilege	1904	WMIC.exe
Token: SeDebugPrivilege	1904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1904	WMIC.exe
Token: SeRemoteShutdownPrivilege	1904	WMIC.exe
Token: SeUndockPrivilege	1904	WMIC.exe
Token: SeManageVolumePrivilege	1904	WMIC.exe
Token: 33	1904	WMIC.exe
Token: 34	1904	WMIC.exe
Token: 35	1904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe

description	pid	process	target process
PID 2288 wrote to memory of 2448	2288	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2288 wrote to memory of 2448	2288	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2288 wrote to memory of 2448	2288	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2288 wrote to memory of 384	2288	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2288 wrote to memory of 384	2288	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2288 wrote to memory of 384	2288	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2288 wrote to memory of 2880	2288	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2288 wrote to memory of 2880	2288	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2288 wrote to memory of 2880	2288	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2288 wrote to memory of 2864	2288	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2288 wrote to memory of 2864	2288	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2288 wrote to memory of 2864	2288	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2288 wrote to memory of 1132	2288	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2288 wrote to memory of 1132	2288	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2288 wrote to memory of 1132	2288	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2288 wrote to memory of 464	2288	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2288 wrote to memory of 464	2288	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2288 wrote to memory of 464	2288	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2288 wrote to memory of 2812	2288	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2288 wrote to memory of 2812	2288	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2288 wrote to memory of 2812	2288	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2288 wrote to memory of 1872	2288	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2288 wrote to memory of 1872	2288	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2288 wrote to memory of 1872	2288	svchost_dump_SCY - Copy.exe	svchost.exe
PID 1872 wrote to memory of 1904	1872	svchost.exe	WMIC.exe
PID 1872 wrote to memory of 1904	1872	svchost.exe	WMIC.exe
PID 1872 wrote to memory of 1904	1872	svchost.exe	WMIC.exe
PID 1872 wrote to memory of 1324	1872	svchost.exe	netsh.exe
PID 1872 wrote to memory of 1324	1872	svchost.exe	netsh.exe
PID 1872 wrote to memory of 1324	1872	svchost.exe	netsh.exe
PID 1872 wrote to memory of 1380	1872	svchost.exe	netsh.exe
PID 1872 wrote to memory of 1380	1872	svchost.exe	netsh.exe
PID 1872 wrote to memory of 1380	1872	svchost.exe	netsh.exe
PID 1872 wrote to memory of 1756	1872	svchost.exe	powershell.exe
PID 1872 wrote to memory of 1756	1872	svchost.exe	powershell.exe
PID 1872 wrote to memory of 1756	1872	svchost.exe	powershell.exe
PID 1872 wrote to memory of 1968	1872	svchost.exe	powershell.exe
PID 1872 wrote to memory of 1968	1872	svchost.exe	powershell.exe
PID 1872 wrote to memory of 1968	1872	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:384

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:464

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2812

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1324

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8a93fd62503f3b34988199f049b7d914

SHA1
64678b925b3fbd13e1d6120bcffc226c74eff49d

SHA256
389cb539e259ebb58a079b39d377fa4fefc2ac7febad445723e5fb35a4a313f6

SHA512
3c574afcd7a4368c2319ddb6b88361585ac677a86a3a66ccb5f8e101871bc205b03503d5436e54fbe70c446f068384c2df7c8c28c2026c07774bf706ad8e7d34

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
399e885091f433c306661eee1cd438db

SHA1
d148192a1880432eb6a46fbf73777223fa279f5c

SHA256
e5ab202452cbbc9629ee9ad360da834e860e5650b490b60e63ffc1825772a1e3

SHA512
899863701065a827dd0b29f3e5f9dfa18ff6ac4683e5da16175f233bbb98895c224d7e391085d06106dd7d6ec2505449db4ad3fa242c9309e0c88889361935e0

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
13.2MB

MD5
fb4ed74b1f45f8c27c484ba2d0b0c186

SHA1
e27e95abca14cc5b820209d7d1aadc1e09000eaa

SHA256
c57507b5cb9a2d2e9867c7714f09f338f5804d753c0b22a9f88d57a6c5816331

SHA512
71b923da56d5e1f9d1d374275277e7a739ce4bc06e69a27d9b7d925106700f95def380600abd74c8f56c8bbe778dd0534035da04d06f8b8bfe00df0f53430de6

Download Submit
C:\Windows\system\svchost.exe

Filesize
415KB

MD5
c8a69529b27ed743f173512e870b5c81

SHA1
76dd0f9929b78964582cf6f6782e4e31180db6aa

SHA256
3b2375f73d6d8f90172aed9b9bf5e233d735bdf80cdd9dcc7191008ee9209df2

SHA512
6a89d6f9efe362385ecc9e82e80c270c4ce7155803782b87b9f7bf6d512e8ba9ad09f58b0e3e6d9e996c3923214bb5b6b749883236cb19e68e81108db56a3975

Download Submit
C:\Windows\system\svchost.exe

Filesize
176KB

MD5
ba37ce7fcee22cfd078cd14c7344be3e

SHA1
0b4d6ba39e60477da876dbe18a9a1052ca1531ec

SHA256
cb9ea0870462595d7662e6695477b238ea5e2c3fe7661f868470c61a4b0d3076

SHA512
ca6dd2852c1c5e7dae65eca5a9a5f712e4aff89bf20e7a85c5816e527fe1db3ee4701d282f0696ecb829ad2a6cf2a583c1cd32903a4424519e3184009dfb52ff

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\system\svchost.exe

Filesize
2.2MB

MD5
2d26d8f0c6d2da00af920afc2effa806

SHA1
a4ca5e8c8de0e66ea5934f291baebfe5aaf6c43c

SHA256
e5d2432363ceab23d1770aaf40315ae7d6425b8f1fe61bb86b1afa817a14bc6a

SHA512
6a3e5ff30cc4b5c7445b52b83a11fa52f0050486a296320ada64c0b70117f25613c610c9e9fc19b611b1c135c6882de9edbe257a2cf833caeae9f31505373250

Download Submit
\Windows\system\svchost.exe

Filesize
259KB

MD5
7770fa8fbab4a9224313addba77c3980

SHA1
61e9d84afcc3df2e67625ef0f7375d0459bd37c1

SHA256
a90cf2923021c232d06619e42478296ea8557ae692d2b806fb30e30f07eeb02f

SHA512
2cc8f1a4913c532c45c1f9b6ecfb0a6b054f972b75e3c2a85dcac266f491cd96982e9114ce7690d9b6d6776982752eaa1263f5207a7b6ce0399dc7c26f2e0a07

Download Submit
memory/1132-19-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/1132-14-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/1132-16-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1756-53-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1756-41-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/1756-57-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/1756-55-0x0000000002914000-0x0000000002917000-memory.dmp

Filesize
12KB

Download
memory/1756-52-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1756-47-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/1756-44-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1756-43-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/1756-42-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/1872-77-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1872-62-0x000000001E9F0000-0x000000001EED2000-memory.dmp

Filesize
4.9MB

Download
memory/1872-34-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1968-56-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/1968-60-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/1968-61-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/1968-54-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/1968-58-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/1968-59-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-33-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2288-32-0x000000003B9B0000-0x000000003BFE6000-memory.dmp

Filesize
6.2MB

Download
memory/2288-35-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2288-29-0x000000003B9B0000-0x000000003BFE6000-memory.dmp

Filesize
6.2MB

Download
memory/2288-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2864-13-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2864-18-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2864-21-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2864-15-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-12-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-17-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/2864-20-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-11-0x0000000001E30000-0x0000000001E38000-memory.dmp

Filesize
32KB

Download
memory/2864-10-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads