fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7

Analysis

max time kernel
139s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/03/2024, 13:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe
Size

121KB
MD5

eac0a08470ee67c63b14ae2ce7f6aa61
SHA1

285c0163376d5d9a5806364411652fe73424d571
SHA256

fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7
SHA512

f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5
SSDEEP

1536:3THoX8wNjiMsyPcjgbKx534oU6Llg/iLBkZhifkdol9LYuVF5yZbn:DjksYKx5o3Slg/itMg8+LYu9ubn

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
1828	BC1C9B74EA.exe
2076	BC1C9B74EA.exe

Loads dropped DLL 2 IoCs

pid	Process
356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe
356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FF1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Roaming\\BC1C9B74EA.exe\""	BC1C9B74EA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FF1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe\""	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\BC1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Roaming\\BC1C9B74EA.exe\""	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*BC1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Roaming\\BC1C9B74EA.exe\""	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	BC1C9B74EA.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 356	2384	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	28
PID 1828 set thread context of 2076	1828	BC1C9B74EA.exe	60

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\_HELP_INSTRUCTION.TXT	BC1C9B74EA.exe
File opened for modification	C:\Program Files (x86)\_HELP_INSTRUCTION.TXT	BC1C9B74EA.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_HELP_INSTRUCTION.TXT	BC1C9B74EA.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2556	sc.exe
2632	sc.exe
2728	sc.exe
2848	sc.exe
2708	sc.exe
2464	sc.exe
2496	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1916	vssadmin.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe:Zone.Identifier	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2616	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2768	vssvc.exe
Token: SeRestorePrivilege	2768	vssvc.exe
Token: SeAuditPrivilege	2768	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 356	2384	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	28
PID 2384 wrote to memory of 356	2384	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	28
PID 2384 wrote to memory of 356	2384	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	28
PID 2384 wrote to memory of 356	2384	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	28
PID 2384 wrote to memory of 356	2384	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	28
PID 2384 wrote to memory of 356	2384	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	28
PID 2384 wrote to memory of 356	2384	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	28
PID 2384 wrote to memory of 356	2384	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	28
PID 2384 wrote to memory of 356	2384	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	28
PID 2384 wrote to memory of 356	2384	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	28
PID 2384 wrote to memory of 356	2384	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	28
PID 356 wrote to memory of 2364	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	29
PID 356 wrote to memory of 2364	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	29
PID 356 wrote to memory of 2364	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	29
PID 356 wrote to memory of 2364	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	29
PID 356 wrote to memory of 2740	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	31
PID 356 wrote to memory of 2740	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	31
PID 356 wrote to memory of 2740	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	31
PID 356 wrote to memory of 2740	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	31
PID 356 wrote to memory of 2136	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	33
PID 356 wrote to memory of 2136	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	33
PID 356 wrote to memory of 2136	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	33
PID 356 wrote to memory of 2136	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	33
PID 2364 wrote to memory of 2556	2364	cmd.exe	34
PID 2364 wrote to memory of 2556	2364	cmd.exe	34
PID 2364 wrote to memory of 2556	2364	cmd.exe	34
PID 2364 wrote to memory of 2556	2364	cmd.exe	34
PID 2740 wrote to memory of 2632	2740	cmd.exe	36
PID 2740 wrote to memory of 2632	2740	cmd.exe	36
PID 2740 wrote to memory of 2632	2740	cmd.exe	36
PID 2740 wrote to memory of 2632	2740	cmd.exe	36
PID 356 wrote to memory of 2652	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	37
PID 356 wrote to memory of 2652	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	37
PID 356 wrote to memory of 2652	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	37
PID 356 wrote to memory of 2652	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	37
PID 356 wrote to memory of 2636	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	39
PID 356 wrote to memory of 2636	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	39
PID 356 wrote to memory of 2636	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	39
PID 356 wrote to memory of 2636	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	39
PID 2136 wrote to memory of 2848	2136	cmd.exe	41
PID 2136 wrote to memory of 2848	2136	cmd.exe	41
PID 2136 wrote to memory of 2848	2136	cmd.exe	41
PID 2136 wrote to memory of 2848	2136	cmd.exe	41
PID 2652 wrote to memory of 2728	2652	cmd.exe	42
PID 2652 wrote to memory of 2728	2652	cmd.exe	42
PID 2652 wrote to memory of 2728	2652	cmd.exe	42
PID 2652 wrote to memory of 2728	2652	cmd.exe	42
PID 356 wrote to memory of 2724	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	43
PID 356 wrote to memory of 2724	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	43
PID 356 wrote to memory of 2724	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	43
PID 356 wrote to memory of 2724	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	43
PID 2636 wrote to memory of 2708	2636	cmd.exe	44
PID 2636 wrote to memory of 2708	2636	cmd.exe	44
PID 2636 wrote to memory of 2708	2636	cmd.exe	44
PID 2636 wrote to memory of 2708	2636	cmd.exe	44
PID 356 wrote to memory of 2472	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	46
PID 356 wrote to memory of 2472	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	46
PID 356 wrote to memory of 2472	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	46
PID 356 wrote to memory of 2472	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	46
PID 356 wrote to memory of 2616	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	48
PID 356 wrote to memory of 2616	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	48
PID 356 wrote to memory of 2616	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	48
PID 356 wrote to memory of 2616	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	48
PID 356 wrote to memory of 2448	356	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe	50

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe
"C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe
  "C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop VVS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\sc.exe
      sc stop VVS
      4⤵
      Launches sc.exe
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wscsvc
      4⤵
      Launches sc.exe
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop wuauserv
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop BITS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\sc.exe
      sc stop BITS
      4⤵
      Launches sc.exe
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop ERSvc
    3⤵
    PID:2724
  - - C:\Windows\SysWOW64\sc.exe
      sc stop ERSvc
      4⤵
      Launches sc.exe
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop WerSvc
    3⤵
    PID:2472
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WerSvc
      4⤵
      Launches sc.exe
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:2616
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2512
- - C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
    C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1828
  - - C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
      C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Drops file in Windows directory
      PID:2076
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_HELP_INSTRUCTION.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\_HELP_INSTRUCTION.TXT

Filesize
1KB

MD5
15def8569a7210afa2925a3312f7b055

SHA1
0467fd0b80d3ce603ddf3b022bf22bb0bcae3f3d

SHA256
469bd39c370118c8f1b216f7bd540c3615d27ec2d44a9ae5491ac6edd299aeb9

SHA512
97008cadd498580e9d16cf2f5270e5372e017ea8c615c57f0369141983316b7c0214d5e982ed74829e249cb9fabd77fc4e0b724592d384783f553512be0f3083

Download Submit
\Users\Admin\AppData\Roaming\BC1C9B74EA.exe

Filesize
121KB

MD5
eac0a08470ee67c63b14ae2ce7f6aa61

SHA1
285c0163376d5d9a5806364411652fe73424d571

SHA256
fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7

SHA512
f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5

Download Submit
memory/356-4-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/356-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/356-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1828-23-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/1828-544-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2076-80-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-100-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-32-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-40-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-45-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-50-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-65-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-70-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-75-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-623-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-85-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-90-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-95-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-31-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-105-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-29-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-121-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-127-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-134-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-140-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-145-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-147-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-149-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-151-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-153-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-155-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2076-26-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2384-2-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads