00da813eb4995d999e76d63773bd57a2852cd877247cc8ee4fb134e284ae355b

General

Target

dc4003efd4074d3366579cdaa98cae96.exe
Size

167KB
MD5

dc4003efd4074d3366579cdaa98cae96
SHA1

4201c0a08d7c10225636b2295c370860368d0f0a
SHA256

00da813eb4995d999e76d63773bd57a2852cd877247cc8ee4fb134e284ae355b
SHA512

5d3e72ab54a325c5fc48a96bef67020f8266e37ad54fdae780c4607d9726fa9d168726e0d22827624bd102b02c89c4d3ba4d258e7b2a011018bed883c8517a1a
SSDEEP

3072:dKXTyxQPHZ2I4nNVI8kQ3zTvuani/M0wAcbuuGv1X8lBPCB:0uxQP52I8NVI+vB9/uu08qB

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

lsass.exedc4003efd4074d3366579cdaa98cae96.exewmpnetvk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	dc4003efd4074d3366579cdaa98cae96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	wmpnetvk.exe

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4144 netsh.exe
2452 netsh.exe

pid	process
4144	netsh.exe
2452	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dc4003efd4074d3366579cdaa98cae96.exetaskhostt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	dc4003efd4074d3366579cdaa98cae96.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	taskhostt.exe

Executes dropped EXE 6 IoCs

Processes:

taskhostt.exelsass.exewmpnetvk.exewmpnetvk.exelsass.exelsass.exe

pid process

4672 taskhostt.exe
1412 lsass.exe
220 wmpnetvk.exe
740 wmpnetvk.exe
3892 lsass.exe
3516 lsass.exe

pid	process
4672	taskhostt.exe
1412	lsass.exe
220	wmpnetvk.exe
740	wmpnetvk.exe
3892	lsass.exe
3516	lsass.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

lsass.exetaskhostt.exedc4003efd4074d3366579cdaa98cae96.exewmpnetvk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\Credentials\\taskhostt.exe"	taskhostt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	dc4003efd4074d3366579cdaa98cae96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	dc4003efd4074d3366579cdaa98cae96.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	wmpnetvk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	wmpnetvk.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dc4003efd4074d3366579cdaa98cae96.exewmpnetvk.exelsass.exe

description	pid	process	target process
PID 4872 set thread context of 2428	4872	dc4003efd4074d3366579cdaa98cae96.exe	dc4003efd4074d3366579cdaa98cae96.exe
PID 220 set thread context of 740	220	wmpnetvk.exe	wmpnetvk.exe
PID 3892 set thread context of 3516	3892	lsass.exe	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 3 IoCs

Processes:

cmd.exewmpnetvk.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\wmpnetvk.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.gzp\:ZONE.identifier:$DATA	wmpnetvk.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\wmpnetvk.exe:ZONE.identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dc4003efd4074d3366579cdaa98cae96.exetaskhostt.exelsass.exewmpnetvk.exelsass.exe

pid	process
4872	dc4003efd4074d3366579cdaa98cae96.exe
4672	taskhostt.exe
1412	lsass.exe
4672	taskhostt.exe
220	wmpnetvk.exe
4872	dc4003efd4074d3366579cdaa98cae96.exe
1412	lsass.exe
4672	taskhostt.exe
4672	taskhostt.exe
4672	taskhostt.exe
220	wmpnetvk.exe
4872	dc4003efd4074d3366579cdaa98cae96.exe
4672	taskhostt.exe
1412	lsass.exe
4672	taskhostt.exe
4672	taskhostt.exe
4672	taskhostt.exe
4672	taskhostt.exe
4672	taskhostt.exe
4672	taskhostt.exe
4672	taskhostt.exe
4672	taskhostt.exe
220	wmpnetvk.exe
220	wmpnetvk.exe
4872	dc4003efd4074d3366579cdaa98cae96.exe
4872	dc4003efd4074d3366579cdaa98cae96.exe
4672	taskhostt.exe
4672	taskhostt.exe
1412	lsass.exe
1412	lsass.exe
4672	taskhostt.exe
4672	taskhostt.exe
4672	taskhostt.exe
4672	taskhostt.exe
4672	taskhostt.exe
4672	taskhostt.exe
3892	lsass.exe
3892	lsass.exe
4672	taskhostt.exe
4672	taskhostt.exe
220	wmpnetvk.exe
220	wmpnetvk.exe
4872	dc4003efd4074d3366579cdaa98cae96.exe
4872	dc4003efd4074d3366579cdaa98cae96.exe
1412	lsass.exe
1412	lsass.exe
4672	taskhostt.exe
4672	taskhostt.exe
3892	lsass.exe
3892	lsass.exe
220	wmpnetvk.exe
220	wmpnetvk.exe
4872	dc4003efd4074d3366579cdaa98cae96.exe
4872	dc4003efd4074d3366579cdaa98cae96.exe
4672	taskhostt.exe
4672	taskhostt.exe
1412	lsass.exe
1412	lsass.exe
3892	lsass.exe
3892	lsass.exe
4672	taskhostt.exe
4672	taskhostt.exe
220	wmpnetvk.exe
220	wmpnetvk.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

dc4003efd4074d3366579cdaa98cae96.exetaskhostt.exelsass.exewmpnetvk.exelsass.exe

description	pid	process
Token: SeDebugPrivilege	4872	dc4003efd4074d3366579cdaa98cae96.exe
Token: SeDebugPrivilege	4672	taskhostt.exe
Token: SeDebugPrivilege	1412	lsass.exe
Token: SeDebugPrivilege	220	wmpnetvk.exe
Token: SeDebugPrivilege	3892	lsass.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

dc4003efd4074d3366579cdaa98cae96.exewmpnetvk.exelsass.exe

pid process

2428 dc4003efd4074d3366579cdaa98cae96.exe
740 wmpnetvk.exe
3516 lsass.exe

pid	process
2428	dc4003efd4074d3366579cdaa98cae96.exe
740	wmpnetvk.exe
3516	lsass.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

dc4003efd4074d3366579cdaa98cae96.exedc4003efd4074d3366579cdaa98cae96.exelsass.exetaskhostt.exewmpnetvk.exewmpnetvk.exelsass.exe

description	pid	process	target process
PID 4872 wrote to memory of 4732	4872	dc4003efd4074d3366579cdaa98cae96.exe	cmd.exe
PID 4872 wrote to memory of 4732	4872	dc4003efd4074d3366579cdaa98cae96.exe	cmd.exe
PID 4872 wrote to memory of 4732	4872	dc4003efd4074d3366579cdaa98cae96.exe	cmd.exe
PID 4872 wrote to memory of 2428	4872	dc4003efd4074d3366579cdaa98cae96.exe	dc4003efd4074d3366579cdaa98cae96.exe
PID 4872 wrote to memory of 2428	4872	dc4003efd4074d3366579cdaa98cae96.exe	dc4003efd4074d3366579cdaa98cae96.exe
PID 4872 wrote to memory of 2428	4872	dc4003efd4074d3366579cdaa98cae96.exe	dc4003efd4074d3366579cdaa98cae96.exe
PID 4872 wrote to memory of 2428	4872	dc4003efd4074d3366579cdaa98cae96.exe	dc4003efd4074d3366579cdaa98cae96.exe
PID 4872 wrote to memory of 2428	4872	dc4003efd4074d3366579cdaa98cae96.exe	dc4003efd4074d3366579cdaa98cae96.exe
PID 4872 wrote to memory of 2428	4872	dc4003efd4074d3366579cdaa98cae96.exe	dc4003efd4074d3366579cdaa98cae96.exe
PID 4872 wrote to memory of 2428	4872	dc4003efd4074d3366579cdaa98cae96.exe	dc4003efd4074d3366579cdaa98cae96.exe
PID 4872 wrote to memory of 2428	4872	dc4003efd4074d3366579cdaa98cae96.exe	dc4003efd4074d3366579cdaa98cae96.exe
PID 4872 wrote to memory of 4672	4872	dc4003efd4074d3366579cdaa98cae96.exe	taskhostt.exe
PID 4872 wrote to memory of 4672	4872	dc4003efd4074d3366579cdaa98cae96.exe	taskhostt.exe
PID 4872 wrote to memory of 4672	4872	dc4003efd4074d3366579cdaa98cae96.exe	taskhostt.exe
PID 2428 wrote to memory of 4144	2428	dc4003efd4074d3366579cdaa98cae96.exe	netsh.exe
PID 2428 wrote to memory of 4144	2428	dc4003efd4074d3366579cdaa98cae96.exe	netsh.exe
PID 2428 wrote to memory of 4144	2428	dc4003efd4074d3366579cdaa98cae96.exe	netsh.exe
PID 2428 wrote to memory of 1412	2428	dc4003efd4074d3366579cdaa98cae96.exe	lsass.exe
PID 2428 wrote to memory of 1412	2428	dc4003efd4074d3366579cdaa98cae96.exe	lsass.exe
PID 2428 wrote to memory of 1412	2428	dc4003efd4074d3366579cdaa98cae96.exe	lsass.exe
PID 1412 wrote to memory of 4688	1412	lsass.exe	lsass.exe
PID 1412 wrote to memory of 4688	1412	lsass.exe	lsass.exe
PID 1412 wrote to memory of 4688	1412	lsass.exe	lsass.exe
PID 4672 wrote to memory of 220	4672	taskhostt.exe	wmpnetvk.exe
PID 4672 wrote to memory of 220	4672	taskhostt.exe	wmpnetvk.exe
PID 4672 wrote to memory of 220	4672	taskhostt.exe	wmpnetvk.exe
PID 220 wrote to memory of 1940	220	wmpnetvk.exe	cmd.exe
PID 220 wrote to memory of 1940	220	wmpnetvk.exe	cmd.exe
PID 220 wrote to memory of 1940	220	wmpnetvk.exe	cmd.exe
PID 220 wrote to memory of 740	220	wmpnetvk.exe	wmpnetvk.exe
PID 220 wrote to memory of 740	220	wmpnetvk.exe	wmpnetvk.exe
PID 220 wrote to memory of 740	220	wmpnetvk.exe	wmpnetvk.exe
PID 220 wrote to memory of 740	220	wmpnetvk.exe	wmpnetvk.exe
PID 220 wrote to memory of 740	220	wmpnetvk.exe	wmpnetvk.exe
PID 220 wrote to memory of 740	220	wmpnetvk.exe	wmpnetvk.exe
PID 220 wrote to memory of 740	220	wmpnetvk.exe	wmpnetvk.exe
PID 220 wrote to memory of 740	220	wmpnetvk.exe	wmpnetvk.exe
PID 740 wrote to memory of 2452	740	wmpnetvk.exe	netsh.exe
PID 740 wrote to memory of 2452	740	wmpnetvk.exe	netsh.exe
PID 740 wrote to memory of 2452	740	wmpnetvk.exe	netsh.exe
PID 740 wrote to memory of 3892	740	wmpnetvk.exe	lsass.exe
PID 740 wrote to memory of 3892	740	wmpnetvk.exe	lsass.exe
PID 740 wrote to memory of 3892	740	wmpnetvk.exe	lsass.exe
PID 3892 wrote to memory of 3516	3892	lsass.exe	lsass.exe
PID 3892 wrote to memory of 3516	3892	lsass.exe	lsass.exe
PID 3892 wrote to memory of 3516	3892	lsass.exe	lsass.exe
PID 3892 wrote to memory of 3516	3892	lsass.exe	lsass.exe
PID 3892 wrote to memory of 3516	3892	lsass.exe	lsass.exe
PID 3892 wrote to memory of 3516	3892	lsass.exe	lsass.exe
PID 3892 wrote to memory of 3516	3892	lsass.exe	lsass.exe
PID 3892 wrote to memory of 3516	3892	lsass.exe	lsass.exe

C:\Users\Admin\AppData\Local\Temp\dc4003efd4074d3366579cdaa98cae96.exe
"C:\Users\Admin\AppData\Local\Temp\dc4003efd4074d3366579cdaa98cae96.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- NTFS ADS
PID:4732

C:\Users\Admin\AppData\Local\Temp\dc4003efd4074d3366579cdaa98cae96.exe
dc4003efd4074d3366579cdaa98cae96.exe
2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable
3⤵
- Modifies Windows Firewall
PID:4144

C:\Users\Admin\AppData\Roaming\lsass.exe
/d C:\Users\Admin\AppData\Local\Temp\dc4003efd4074d3366579cdaa98cae96.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Roaming\lsass.exe
lsass.exe
4⤵
PID:4688

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\cmd.exe
"cmd"
4⤵
- NTFS ADS
PID:1940

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
wmpnetvk.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable
5⤵
- Modifies Windows Firewall
PID:2452

C:\Users\Admin\AppData\Roaming\lsass.exe
/d C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Users\Admin\AppData\Roaming\lsass.exe
lsass.exe
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wmpnetvk.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe
Filesize
9KB

MD5
abd2e50ed727642c0aa0a911e8d45064

SHA1
a53879e8636d04957268223a4395422a70f8d941

SHA256
152d5f38b4d8de3aec4c1a2dcce0ce7308f88d07e02f17a4ac541552fb9a82ae

SHA512
5eacbe37fd41879f1e21a5aa3a6425f07af3dd9e7a941f00bd2533f4cbe988f0460a06fe4d021c2475dc601605fb18caad50758642223b0f18397c559b1e39d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
Filesize
167KB

MD5
dc4003efd4074d3366579cdaa98cae96

SHA1
4201c0a08d7c10225636b2295c370860368d0f0a

SHA256
00da813eb4995d999e76d63773bd57a2852cd877247cc8ee4fb134e284ae355b

SHA512
5d3e72ab54a325c5fc48a96bef67020f8266e37ad54fdae780c4607d9726fa9d168726e0d22827624bd102b02c89c4d3ba4d258e7b2a011018bed883c8517a1a

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe
Filesize
167KB

MD5
61fc2250421b3588dc85774011bcd086

SHA1
ec7dfbecb92663d73de6177cc7c9462c68909b18

SHA256
1b60e6820916ac8a1a1cadfbaaf9f44bcc68f6009105a495e56fbba4f5af45ed

SHA512
2f3bc9a9f8627320330c74c50f17c610b080332a948e7984590cb56bd9188fafaa32916a45be84efc03ea099e296cd2375cd96c714508de3d158300863795f5f

Download Submit
memory/220-39-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/220-63-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/220-38-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/220-37-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/220-62-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/1412-31-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/1412-61-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/2428-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2428-10-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3892-64-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/3892-49-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/3892-53-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4672-25-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4672-59-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4672-60-0x0000000001340000-0x0000000001350000-memory.dmp

Filesize
64KB

Download
memory/4872-57-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4872-58-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/4872-56-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4872-0-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4872-2-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/4872-1-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads