guloader | 1ec154ccf64f1c1e760c22f1884e6cb2af9a7c73f80cb3eb1ef04902ddcf4a3c

Analysis

max time kernel
30s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ec154ccf64f1c1e760c22f1884e6cb2af9a7c73f80cb3eb1ef04902ddcf4a3c.js
Size

709KB
MD5

79021e344431dfff5aa6547f543b4337
SHA1

75f6cad7afe2ba456fb3413d68d79257d798ba07
SHA256

1ec154ccf64f1c1e760c22f1884e6cb2af9a7c73f80cb3eb1ef04902ddcf4a3c
SHA512

985473692be9809f9ef1729aec2847b9b98202e98b429739631efe3a223b9054fa5851da948f95b4c3d9d99c4533c1b7e98fc9a5b70721fba8646f6ca0af9c2e
SSDEEP

12288:1opI6Gm4TM8Nju/GZ34DGltz2BRJON0eIC8vHAX5TtL+i1GFRz6u:1opIOn/GZUGKhfAXNtDkFj

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1924	22975.exe
224	QQ.exe

Loads dropped DLL 1 IoCs

pid	Process
1924	22975.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ragelses = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Jevgenij\\Salderendes.exe"	wab.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\forementioned\kirstis.ini	22975.exe
File opened for modification	C:\Windows\SysWOW64\forementioned\kirstis.ini	QQ.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1924	22975.exe
3840	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 3840	1924	22975.exe	119

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\markprverne\tekstmarkeringen.str	QQ.exe
File opened for modification	C:\Program Files (x86)\Common Files\markprverne\tekstmarkeringen.str	22975.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\nuncupating.Enf	22975.exe
File opened for modification	C:\Windows\Fonts\Dagsarbejdes.fin	22975.exe
File opened for modification	C:\Windows\resources\0409\nuncupating.Enf	QQ.exe
File opened for modification	C:\Windows\Fonts\Dagsarbejdes.fin	QQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
968	taskkill.exe
1464	taskkill.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4416	WINWORD.EXE
4416	WINWORD.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1924	22975.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4416	WINWORD.EXE
4416	WINWORD.EXE
4416	WINWORD.EXE
4416	WINWORD.EXE
4416	WINWORD.EXE
4416	WINWORD.EXE
4416	WINWORD.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 968	1732	wscript.exe	84
PID 1732 wrote to memory of 968	1732	wscript.exe	84
PID 1732 wrote to memory of 1464	1732	wscript.exe	87
PID 1732 wrote to memory of 1464	1732	wscript.exe	87
PID 1732 wrote to memory of 3792	1732	wscript.exe	89
PID 1732 wrote to memory of 3792	1732	wscript.exe	89
PID 1732 wrote to memory of 2804	1732	wscript.exe	91
PID 1732 wrote to memory of 2804	1732	wscript.exe	91
PID 1732 wrote to memory of 4964	1732	wscript.exe	93
PID 1732 wrote to memory of 4964	1732	wscript.exe	93
PID 1732 wrote to memory of 4804	1732	wscript.exe	95
PID 1732 wrote to memory of 4804	1732	wscript.exe	95
PID 1732 wrote to memory of 2076	1732	wscript.exe	97
PID 1732 wrote to memory of 2076	1732	wscript.exe	97
PID 1732 wrote to memory of 544	1732	wscript.exe	99
PID 1732 wrote to memory of 544	1732	wscript.exe	99
PID 1732 wrote to memory of 2028	1732	wscript.exe	101
PID 1732 wrote to memory of 2028	1732	wscript.exe	101
PID 1732 wrote to memory of 2112	1732	wscript.exe	103
PID 1732 wrote to memory of 2112	1732	wscript.exe	103
PID 1732 wrote to memory of 2096	1732	wscript.exe	105
PID 1732 wrote to memory of 2096	1732	wscript.exe	105
PID 2096 wrote to memory of 4416	2096	cmd.exe	107
PID 2096 wrote to memory of 4416	2096	cmd.exe	107
PID 1732 wrote to memory of 1924	1732	wscript.exe	109
PID 1732 wrote to memory of 1924	1732	wscript.exe	109
PID 1732 wrote to memory of 1924	1732	wscript.exe	109
PID 1924 wrote to memory of 3840	1924	22975.exe	119
PID 1924 wrote to memory of 3840	1924	22975.exe	119
PID 1924 wrote to memory of 3840	1924	22975.exe	119
PID 1924 wrote to memory of 3840	1924	22975.exe	119
PID 1924 wrote to memory of 3840	1924	22975.exe	119
PID 3840 wrote to memory of 224	3840	wab.exe	120
PID 3840 wrote to memory of 224	3840	wab.exe	120
PID 3840 wrote to memory of 224	3840	wab.exe	120

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1ec154ccf64f1c1e760c22f1884e6cb2af9a7c73f80cb3eb1ef04902ddcf4a3c.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im winword.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im winword.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
  2⤵
  PID:3792
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
  2⤵
  PID:2804
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
  2⤵
  PID:4964
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
  2⤵
  PID:4804
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
  2⤵
  PID:2076
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
  2⤵
  PID:544
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
  2⤵
  PID:2028
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
  2⤵
  PID:2112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" /MAX winword "C:\Users\Admin\Documents\These.docx"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" "C:\Users\Admin\Documents\These.docx"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:4416
- C:\Users\Admin\22975.exe
  "C:\Users\Admin\22975.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Users\Admin\22975.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\QQ.exe
      "C:\Users\Admin\AppData\Local\Temp\QQ.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\10855.docx

Filesize
9KB

MD5
86b537f94078514245fe7b6275ed5531

SHA1
54f72b7333b6a576ea33459caf8b2724f62a6c53

SHA256
5c0bb327dcac9c309285814c460a54f91b83ee4a7c693bc6ec2aa2ae8c012eb2

SHA512
93ab12385c7ab86d561d705c8cbf17da49c16686aa2262b7b9a4a98ed4e307f5908efa8004f619bb019768989d2368834e20a18c723602454e4728ef31a34272

Download Submit
C:\Users\Admin\22975.exe

Filesize
497KB

MD5
b3e117728535ed7edad599e698cafbc2

SHA1
2ea334afa266e29515855f809627b09c032168e8

SHA256
9e3c4a258c4f20711f53dda2f00dacf9a6ae3a673cd2b8d54b4811fe4fd62bf7

SHA512
d964fada7344bdf95964dc7159b4b1c550d6c6d0c35263c96f7b32bd489cf38f796198bb97548dd6868ef09f72e8ab273208c33e981419b85c506acbad436b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQ.exe

Filesize
469KB

MD5
46bbacb63c2f6c440be347e99210c3a3

SHA1
8b3f6920bf657fd1973069540ec5990b2033e69a

SHA256
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e

SHA512
f51dafe7612d294a70872064d9c8b1352598def99242134e4dd5aa03ef62614d3222d5b430a8bb26fa63b7e177ec7229467bae58b1e86a0775a052dcab38f7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp6D23.tmp\System.dll

Filesize
11KB

MD5
fc90dfb694d0e17b013d6f818bce41b0

SHA1
3243969886d640af3bfa442728b9f0dff9d5f5b0

SHA256
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528

SHA512
324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
202B

MD5
4566d1d70073cd75fe35acb78ff9d082

SHA1
f602ecc057a3c19aa07671b34b4fdd662aa033cc

SHA256
fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0

SHA512
b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
77b4c012bee9e4733d214029a8098b1e

SHA1
f1fcaee75556a0c0a4d4fc9de8ed8f1b33f467e6

SHA256
904ca55604a55f8effacb2a8f6f115f868904b04db43140f45759868728f4e00

SHA512
42ea8f03cb809aa3c8e01ccd26d723ab5e2010b506f7e9ae50fd853a248f6605db2c516cef9a4ef97fdec3db24e8fbdf64699fb789f596746ee08e204f330a99

Download Submit
memory/224-273-0x00000000049F0000-0x0000000005C00000-memory.dmp

Filesize
18.1MB

Download
memory/1924-239-0x00000000048E0000-0x0000000006C5B000-memory.dmp

Filesize
35.5MB

Download
memory/1924-143-0x00000000048E0000-0x0000000006C5B000-memory.dmp

Filesize
35.5MB

Download
memory/1924-140-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1924-137-0x0000000077AF1000-0x0000000077C11000-memory.dmp

Filesize
1.1MB

Download
memory/1924-121-0x00000000048E0000-0x0000000006C5B000-memory.dmp

Filesize
35.5MB

Download
memory/3840-254-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-244-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-258-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-272-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-262-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-271-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-267-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-269-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-268-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-270-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-142-0x0000000000C00000-0x0000000002F7B000-memory.dmp

Filesize
35.5MB

Download
memory/3840-266-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-144-0x0000000077B78000-0x0000000077B79000-memory.dmp

Filesize
4KB

Download
memory/3840-145-0x0000000077AF1000-0x0000000077C11000-memory.dmp

Filesize
1.1MB

Download
memory/3840-265-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-167-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-230-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-229-0x0000000077AF1000-0x0000000077C11000-memory.dmp

Filesize
1.1MB

Download
memory/3840-231-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-228-0x0000000000C00000-0x0000000002F7B000-memory.dmp

Filesize
35.5MB

Download
memory/3840-233-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-234-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-232-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-235-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-236-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-237-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-264-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-240-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-241-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-238-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-242-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-263-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-245-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-246-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-247-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-248-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-243-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-249-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-251-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-250-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-252-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-253-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-261-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-255-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-256-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-257-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-259-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3840-260-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/4416-141-0x00007FF9EA910000-0x00007FF9EAB05000-memory.dmp

Filesize
2.0MB

Download
memory/4416-14-0x00007FF9A88E0000-0x00007FF9A88F0000-memory.dmp

Filesize
64KB

Download
memory/4416-8-0x00007FF9EA910000-0x00007FF9EAB05000-memory.dmp

Filesize
2.0MB

Download
memory/4416-10-0x00007FF9EA910000-0x00007FF9EAB05000-memory.dmp

Filesize
2.0MB

Download
memory/4416-9-0x00007FF9AA990000-0x00007FF9AA9A0000-memory.dmp

Filesize
64KB

Download
memory/4416-7-0x00007FF9AA990000-0x00007FF9AA9A0000-memory.dmp

Filesize
64KB

Download
memory/4416-138-0x00007FF9EA910000-0x00007FF9EAB05000-memory.dmp

Filesize
2.0MB

Download
memory/4416-6-0x00007FF9EA910000-0x00007FF9EAB05000-memory.dmp

Filesize
2.0MB

Download
memory/4416-15-0x00007FF9A88E0000-0x00007FF9A88F0000-memory.dmp

Filesize
64KB

Download
memory/4416-11-0x00007FF9AA990000-0x00007FF9AA9A0000-memory.dmp

Filesize
64KB

Download
memory/4416-12-0x00007FF9EA910000-0x00007FF9EAB05000-memory.dmp

Filesize
2.0MB

Download
memory/4416-13-0x00007FF9AA990000-0x00007FF9AA9A0000-memory.dmp

Filesize
64KB

Download
memory/4416-139-0x00007FF9EA910000-0x00007FF9EAB05000-memory.dmp

Filesize
2.0MB

Download
memory/4416-5-0x00007FF9AA990000-0x00007FF9AA9A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads