c79914a98dedb0ec412c085aa8a1038273890e38637ff4c03dfa94a0a60f785e

General

Target

GADAR.exe
Size

36.8MB
MD5

dca5b159ce067d6d7ce142da63d1c444
SHA1

d6b7cac762523422d5873f8c976ccbc6b587be4d
SHA256

c79914a98dedb0ec412c085aa8a1038273890e38637ff4c03dfa94a0a60f785e
SHA512

1e008b28b6613bae6971ccc0c492977b7014525e81ef89fc250fc3400a9bdcfe522b91548b7a9e93919b4e51e24d553f61dcb5b8b576f221abb4dc52bae78f7c
SSDEEP

786432:v3unL7I3kOcdXub9F7DYtJVRqygELqzIYy9y+aJtShY9Q6SZKMg:/unL7ck5OKtRfLqcBUSG8Z0

Score

9^/10

agilenet evasion execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

GADAR.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GADAR.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GADAR.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GADAR.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GADAR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GADAR.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2228-0-0x0000000000180000-0x0000000001258000-memory.dmp	agile_net
behavioral2/memory/2228-3-0x0000000000180000-0x000000000120A000-memory.dmp	agile_net
behavioral2/memory/2228-135-0x0000000000180000-0x0000000001258000-memory.dmp	agile_net

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2228-8-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral2/memory/2228-7-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral2/memory/2228-17-0x0000000006210000-0x0000000006862000-memory.dmp	themida
behavioral2/memory/2228-18-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral2/memory/2228-21-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral2/memory/2228-20-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral2/memory/2228-22-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral2/memory/2228-19-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral2/memory/2228-23-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral2/memory/2228-258-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral2/memory/2228-260-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

GADAR.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA GADAR.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

GADAR.exe

pid process

2228 GADAR.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1128 sc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GADAR.exe

pid	process
2228	GADAR.exe

pid	process
1128	sc.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

GADAR.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	GADAR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	GADAR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	GADAR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	GADAR.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

GADAR.exe

pid process

2228 GADAR.exe
2228 GADAR.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GADAR.exe

description pid process

Token: SeDebugPrivilege 2228 GADAR.exe

pid	process
2228	GADAR.exe
2228	GADAR.exe

description	pid	process
Token: SeDebugPrivilege	2228	GADAR.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

GADAR.execmd.exe

description	pid	process	target process
PID 2228 wrote to memory of 948	2228	GADAR.exe	cmd.exe
PID 2228 wrote to memory of 948	2228	GADAR.exe	cmd.exe
PID 2228 wrote to memory of 948	2228	GADAR.exe	cmd.exe
PID 2228 wrote to memory of 948	2228	GADAR.exe	cmd.exe
PID 948 wrote to memory of 1128	948	cmd.exe	sc.exe
PID 948 wrote to memory of 1128	948	cmd.exe	sc.exe
PID 948 wrote to memory of 1128	948	cmd.exe	sc.exe
PID 948 wrote to memory of 1128	948	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\GADAR.exe
"C:\Users\Admin\AppData\Local\Temp\GADAR.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\sc.exe
sc deleteCrManager
3⤵
- Launches sc.exe
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
676c8521908a5e3bb526e605bfa0c9b8

SHA1
9e9d905bdaa25fc05ea22fa54c18c9d1d88e424a

SHA256
8872a5eadea5b5566a78895ef042486e7eab6c1002f1253d76c764f0bf3e7125

SHA512
f259573958c63e48e0962f2a5c44c9ada8f2fc3ccda16c6971db9f5df3a23e178b692adbaf8954093bac5b013115a3aacaf27ea8fbfc1356473def9f6889ae18

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIKKA_V2.exe.config
Filesize
534B

MD5
4b14782cb47160b63edb3a1374a75347

SHA1
0632cf59cf6ecf19847e241a81b8ae4ef4c41864

SHA256
a5991e80a38e2aa164e09beb42cb87f70936f04dfa59370b0dbcf633eecda089

SHA512
836a3f35ef5237bce387e1b595def60d07e1a0c7d1a4b0bed3e12c3eb6e4ac44c2a492409581f8c19334bb7a5dedbf885be4e2c2ff74987630892b96ebdccb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3502.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.zip
Filesize
1.5MB

MD5
d65c4b996f8a1efc8f371565dd446bae

SHA1
aece2e9d29de2e8c0144775ac545eea817295286

SHA256
fd7ea37bc62233dcf93db9781b8594f95d7d0b88cc7dd3a3b20ee421560102fd

SHA512
d0e398d330a16b9139ce7f991ae865ed1eed67d798607b3718e1e48f0fa9512013441e09377389e61d2aca9076d40c7fe253b4a0ee453c677579a8e61692e23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb2550.tmp
Filesize
1KB

MD5
6ceb6e3be571bdaee3147adb325994f0

SHA1
25b8919e8c917c7d31436a4555d391306b96a3a3

SHA256
3705ac3ba0589b10770f0fb31000372e8f0ccecd2397c96db3ad3c6b986fd002

SHA512
339a1855a13fb844606e1950e430b5593528ec67da884d1b5a172a7740904daf1aaf6ae0cc0316638582742d1189720baba7f75030355ef706031074afd4d772

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64\SQLite.Interop.dll
Filesize
1.5MB

MD5
a0d07d0e354c7760497ef7ea6227b937

SHA1
10cfc3ff37b8b492a2130d1cda2ccfa8788a9650

SHA256
f39fc4d52b3e9e1a8d30fb8e2ffd320c1b54a5d5c5ad2444e57f0b3642cdc05e

SHA512
908c234cb616edc87a76d9153a6da8f2a1013c477602ec2068dc598592cd1355569f42989b1f4b29ab43f9dde3912dbfd9bfb01eaedbf6960277d629f75e24eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dll
Filesize
1.2MB

MD5
20f57cdc2bbf1921aeafc24a3550bafb

SHA1
e20d2ad819b47f58ebeac880bd10c04f2c7c368c

SHA256
b1d183195f39d03573312ca6b232869b2d06b2dd9afb8e7896f61eee3ee87224

SHA512
9a2f663dfa528ce5dd27dfad3717f146fd7074de30916c675488f7b4e718bf0aa0b5007b937ff1fa32acdd7c7cb1b4166c5ef0744aa599370b01c33076429fd3

Download Submit
memory/2228-17-0x0000000006210000-0x0000000006862000-memory.dmp

Filesize
6.3MB

Download
memory/2228-108-0x0000000006330000-0x0000000006374000-memory.dmp

Filesize
272KB

Download
memory/2228-18-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2228-21-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2228-20-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2228-22-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2228-19-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2228-23-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2228-24-0x0000000074260000-0x00000000742E0000-memory.dmp

Filesize
512KB

Download
memory/2228-92-0x0000000003540000-0x0000000003548000-memory.dmp

Filesize
32KB

Download
memory/2228-91-0x0000000005F30000-0x0000000005F78000-memory.dmp

Filesize
288KB

Download
memory/2228-99-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-16-0x00000000FFE00000-0x00000000FFFA7000-memory.dmp

Filesize
1.7MB

Download
memory/2228-106-0x0000000006330000-0x0000000006374000-memory.dmp

Filesize
272KB

Download
memory/2228-7-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2228-2-0x000000007446E000-0x000000007446F000-memory.dmp

Filesize
4KB

Download
memory/2228-107-0x0000000006330000-0x0000000006374000-memory.dmp

Filesize
272KB

Download
memory/2228-95-0x0000000006330000-0x0000000006374000-memory.dmp

Filesize
272KB

Download
memory/2228-15-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-8-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2228-5-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-135-0x0000000000180000-0x0000000001258000-memory.dmp

Filesize
16.8MB

Download
memory/2228-3-0x0000000000180000-0x000000000120A000-memory.dmp

Filesize
16.5MB

Download
memory/2228-0-0x0000000000180000-0x0000000001258000-memory.dmp

Filesize
16.8MB

Download
memory/2228-1-0x0000000077460000-0x0000000077461000-memory.dmp

Filesize
4KB

Download
memory/2228-257-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-258-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2228-260-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2228-262-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-266-0x0000000006330000-0x0000000006374000-memory.dmp

Filesize
272KB

Download
memory/2228-267-0x0000000006330000-0x0000000006374000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads