6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
Size

41KB
MD5

542adcb1bd6f3734ff7f097808f11436
SHA1

417b78f2845555d795fc7b14658f3358e806ca8f
SHA256

6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7
SHA512

a4f9ca8cd6d8a963ed84563c48bd41a34e7c3754f324b66cdaf131260c4502cc1d17fa125c904c4be61557a85727df7a2a6f416b86b08e4e8e4112ee12e54582
SSDEEP

768:xeMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09Cy:xq5VwWDjDkdTRqHFOn8tIbbeYiuZIFSz

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 16 IoCs

resource	yara_rule
behavioral1/memory/1524-0-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/files/0x000c0000000132c6-10.dat	UPX
behavioral1/memory/1524-15-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/files/0x000b00000001224c-17.dat	UPX
behavioral1/memory/1524-18-0x00000000002B0000-0x00000000002B9000-memory.dmp	UPX
behavioral1/memory/1524-24-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/memory/2640-27-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral1/files/0x000a0000000139d6-28.dat	UPX
behavioral1/memory/1524-26-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2540-38-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/memory/2640-34-0x0000000000320000-0x000000000033F000-memory.dmp	UPX
behavioral1/memory/2540-40-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2540-42-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/memory/2540-43-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2540-47-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/memory/2640-49-0x0000000000320000-0x000000000033F000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c0000000132c6-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2640	ctfmen.exe
2540	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
1524	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
1524	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
1524	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
2640	ctfmen.exe
2640	ctfmen.exe
2540	smnss.exe
1424	WerFault.exe
1424	WerFault.exe
1424	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\grcopy.dll	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
File created	C:\Windows\SysWOW64\smnss.exe	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
File created	C:\Windows\SysWOW64\shervans.dll	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
File created	C:\Windows\SysWOW64\satornas.dll	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1424	2540	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2640	1524	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe	28
PID 1524 wrote to memory of 2640	1524	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe	28
PID 1524 wrote to memory of 2640	1524	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe	28
PID 1524 wrote to memory of 2640	1524	6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe	28
PID 2640 wrote to memory of 2540	2640	ctfmen.exe	29
PID 2640 wrote to memory of 2540	2640	ctfmen.exe	29
PID 2640 wrote to memory of 2540	2640	ctfmen.exe	29
PID 2640 wrote to memory of 2540	2640	ctfmen.exe	29
PID 2540 wrote to memory of 1424	2540	smnss.exe	30
PID 2540 wrote to memory of 1424	2540	smnss.exe	30
PID 2540 wrote to memory of 1424	2540	smnss.exe	30
PID 2540 wrote to memory of 1424	2540	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe
"C:\Users\Admin\AppData\Local\Temp\6fd67ca0062f09a5d839f9de4d01314fb7b434c0a987731d514af09ae97750e7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 840
      4⤵
      Loads dropped DLL
      Program crash
      PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
9098581762e3f0b6d30f8af5b7ea80fc

SHA1
80426b59d8f807c0fac74cde48d53ee514bef6a2

SHA256
c1f4b153d205c56e4d1f48ceb47e7145b19965faff0af9ce9d1f195763d61d03

SHA512
6951bb3da6212d7ccb53353221c6601e5c6640c984dd78985d83c6ab439a904ee584e2a33ba78e6bb94d7abc6aaf5564e09fe68de779534244a18f12c286dfa3

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
87b767437b4564c0fa91415b8eebb61b

SHA1
e68880b92f071d3fd068ca77c7dee237ed11f969

SHA256
24b171f56a0f942606343a31c07aeefec17dbfa779ca68ba74712f8ef343582b

SHA512
ebf6f499ce7283afbc3bb737d8c3d0e31788e23517ad4207068e2ee73c1a63e1d741392f9e24cc898bb0f9806113fc886f786fc9830cbd84c981a0bf76050077

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
d362e35b5a3c7c253dd925777ef692de

SHA1
3dbaf20aab391184687648271473e52074800d9d

SHA256
38954f84272195c7224999a4399f50ca69ecf58cfbf6422bfe07d62df79cf7c7

SHA512
0ef2e4382ed216e9fb0c5b0f962bbbc76adc2c5f0b31c72011c63296df18997554cf5f644bddb6e5d448937455313ff1100c47a82649032b9884a26839952b70

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
41KB

MD5
0a18edb8b8fcc6585cbc6fb0f60806b1

SHA1
0d2d403edcc8cac9c41b6c4d2880d85b91da2ed5

SHA256
1dc347bcd7ee33a3d34a8c2d42de557309586515909eafb1ac32bc46b404c43b

SHA512
d2a68fe7493bfe785f5a5f04aa288b8f6671c5b04089ed0f562bda267ddba999e2a37adad3defed170b65abd5f9eed5530abaa4471dbed933f235c5f412f3d2a

Download Submit
memory/1524-18-0x00000000002B0000-0x00000000002B9000-memory.dmp

Filesize
36KB

Download
memory/1524-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1524-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1524-26-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1524-15-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2540-38-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2540-40-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2540-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2540-43-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2540-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2640-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-34-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2640-49-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads