8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a

General

Target

8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
Size

2.5MB
MD5

2596d7ffd5a33ee9b9eb9198ca7c56f0
SHA1

fd8c50cf801adc61f2e03c328692f3015c4fffc7
SHA256

8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a
SHA512

532b1f13ceae966843cc80bb50eac0d839310e0f61d2ce30a7181c098599822c6c9e496407c2f1ed0f11eea631fb0405ec78b1e219d773380969c2275c853100
SSDEEP

49152:8xmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyx7:8xx9NUFkQx753uWuCyyx7

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

spoolsv.exe8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1980 explorer.exe
3692 spoolsv.exe
4916 svchost.exe
2888 spoolsv.exe

pid	process
1980	explorer.exe
3692	spoolsv.exe
4916	svchost.exe
2888	spoolsv.exe

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1844-0-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
C:\Windows\Resources\Themes\explorer.exe	themida
behavioral2/memory/1980-10-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
C:\Windows\Resources\spoolsv.exe	themida
behavioral2/memory/3692-19-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
C:\Windows\Resources\svchost.exe	themida
behavioral2/memory/4916-28-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral2/memory/2888-33-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral2/memory/3692-41-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral2/memory/1844-42-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral2/memory/2888-38-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral2/memory/1980-43-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral2/memory/4916-44-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral2/memory/1980-49-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral2/memory/1980-55-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral2/memory/4916-62-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral2/memory/4916-66-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1980 explorer.exe
3692 spoolsv.exe
4916 svchost.exe
2888 spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exe8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exe

pid	process
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1980 explorer.exe
4916 svchost.exe

pid	process
1980	explorer.exe
4916	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
1980	explorer.exe
1980	explorer.exe
3692	spoolsv.exe
3692	spoolsv.exe
4916	svchost.exe
4916	svchost.exe
2888	spoolsv.exe
2888	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1844 wrote to memory of 1980	1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe	explorer.exe
PID 1844 wrote to memory of 1980	1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe	explorer.exe
PID 1844 wrote to memory of 1980	1844	8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe	explorer.exe
PID 1980 wrote to memory of 3692	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 3692	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 3692	1980	explorer.exe	spoolsv.exe
PID 3692 wrote to memory of 4916	3692	spoolsv.exe	svchost.exe
PID 3692 wrote to memory of 4916	3692	spoolsv.exe	svchost.exe
PID 3692 wrote to memory of 4916	3692	spoolsv.exe	svchost.exe
PID 4916 wrote to memory of 2888	4916	svchost.exe	spoolsv.exe
PID 4916 wrote to memory of 2888	4916	svchost.exe	spoolsv.exe
PID 4916 wrote to memory of 2888	4916	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
"C:\Users\Admin\AppData\Local\Temp\8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3692

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe
Filesize
2.5MB

MD5
bd6e552a580fa80f9c1db2ae832e1804

SHA1
14567ea42624a586352af65c8c22e09c684d668b

SHA256
382370b763353d457dbc72e29334b8a809f0d3179b5000101691a8647a9e0cff

SHA512
f5aa20c4b53fc64b762ec5b05788ff121502860b3a784b9d82a91c40b91c7d9d1252d92934cbcad501fb44497b49ea79be06d38617bd0f06d986021354d818d5

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
2.5MB

MD5
3d5b5a5e6d361878020bfd7372be897a

SHA1
cc41058c04f20e5d2b2c8aeba1a705e5e3095972

SHA256
966f9ef7647cfacaa12d11c783e9f2ce6cf2d2fc42ece22eaa8b8f562f7bfdd1

SHA512
83e90f79e088c35b64caec7130ca9534ca5359fd419d712cbc30264816494c4f0d1f10c29859eb42c7df9c97de9ef6d6d964ebbe41bd53a7119e8a8dc306f87c

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
2.5MB

MD5
d554c00197197ef72ecacc801a6acd42

SHA1
d112899585b8c27c71c3a5a7667d5623fc5502aa

SHA256
eee414fe3ba570af0ea596018100165b3e2049ea75d06a10e80fe53e9c300966

SHA512
c595e754c4ba8a39baebb2706d02fe4868a2d665467e1cfa986b3c8625ca2dbd1f6385c5de4b98b16c45162fe57b0441ae1ddb0de921b19df159037c453258ea

Download Submit
memory/1844-1-0x0000000077934000-0x0000000077936000-memory.dmp

Filesize
8KB

Download
memory/1844-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/1844-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/1980-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/1980-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/1980-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/1980-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2888-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2888-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/3692-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/3692-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/4916-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/4916-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/4916-62-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/4916-66-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads