f06047b09abc77529969c5949deda36ff154539d1b9ed8942c22fbb307d8aac9

General

Target

uncategorized_1.2.0.1.vir.exe
Size

304KB
MD5

a0173bd7d459e734f3417e40e612bb0c
SHA1

f107596acaa9e7a0916a46a68db923e3ab228be1
SHA256

f06047b09abc77529969c5949deda36ff154539d1b9ed8942c22fbb307d8aac9
SHA512

310fff512b750c5eab7361c1c23906d78353d8443fe0c95454e0ff9afce930f183ad37c3ac8ba8bb1ce8428443929a32d47ec641279272b96e60d6df96c0674b

Score

8^/10

persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

rusu.exe

pid	process
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe
752	rusu.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rusu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	rusu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{DF47E27E-D326-15CC-09CD-43E596A509D3} = "C:\\Users\\Admin\\AppData\\Roaming\\Gekih\\rusu.exe"	rusu.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rusu.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rusu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rusu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	rusu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rusu.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

uncategorized_1.2.0.1.vir.exeuncategorized_1.2.0.1.vir.exerusu.exerusu.exe

description	pid	process	target process
PID 1496 wrote to memory of 1560	1496	uncategorized_1.2.0.1.vir.exe	uncategorized_1.2.0.1.vir.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_1.2.0.1.vir.exe	uncategorized_1.2.0.1.vir.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_1.2.0.1.vir.exe	uncategorized_1.2.0.1.vir.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_1.2.0.1.vir.exe	uncategorized_1.2.0.1.vir.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_1.2.0.1.vir.exe	uncategorized_1.2.0.1.vir.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_1.2.0.1.vir.exe	uncategorized_1.2.0.1.vir.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_1.2.0.1.vir.exe	uncategorized_1.2.0.1.vir.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_1.2.0.1.vir.exe	uncategorized_1.2.0.1.vir.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_1.2.0.1.vir.exe	uncategorized_1.2.0.1.vir.exe
PID 1560 wrote to memory of 304	1560	uncategorized_1.2.0.1.vir.exe	rusu.exe
PID 1560 wrote to memory of 304	1560	uncategorized_1.2.0.1.vir.exe	rusu.exe
PID 1560 wrote to memory of 304	1560	uncategorized_1.2.0.1.vir.exe	rusu.exe
PID 1560 wrote to memory of 304	1560	uncategorized_1.2.0.1.vir.exe	rusu.exe
PID 304 wrote to memory of 752	304	rusu.exe	rusu.exe
PID 304 wrote to memory of 752	304	rusu.exe	rusu.exe
PID 304 wrote to memory of 752	304	rusu.exe	rusu.exe
PID 304 wrote to memory of 752	304	rusu.exe	rusu.exe
PID 304 wrote to memory of 752	304	rusu.exe	rusu.exe
PID 304 wrote to memory of 752	304	rusu.exe	rusu.exe
PID 304 wrote to memory of 752	304	rusu.exe	rusu.exe
PID 304 wrote to memory of 752	304	rusu.exe	rusu.exe
PID 304 wrote to memory of 752	304	rusu.exe	rusu.exe
PID 1560 wrote to memory of 1060	1560	uncategorized_1.2.0.1.vir.exe	cmd.exe
PID 1560 wrote to memory of 1060	1560	uncategorized_1.2.0.1.vir.exe	cmd.exe
PID 1560 wrote to memory of 1060	1560	uncategorized_1.2.0.1.vir.exe	cmd.exe
PID 1560 wrote to memory of 1060	1560	uncategorized_1.2.0.1.vir.exe	cmd.exe
PID 752 wrote to memory of 1080	752	rusu.exe	taskhost.exe
PID 752 wrote to memory of 1080	752	rusu.exe	taskhost.exe
PID 752 wrote to memory of 1080	752	rusu.exe	taskhost.exe
PID 752 wrote to memory of 1080	752	rusu.exe	taskhost.exe
PID 752 wrote to memory of 1080	752	rusu.exe	taskhost.exe
PID 752 wrote to memory of 1188	752	rusu.exe	Dwm.exe
PID 752 wrote to memory of 1188	752	rusu.exe	Dwm.exe
PID 752 wrote to memory of 1188	752	rusu.exe	Dwm.exe
PID 752 wrote to memory of 1188	752	rusu.exe	Dwm.exe
PID 752 wrote to memory of 1188	752	rusu.exe	Dwm.exe
PID 752 wrote to memory of 1228	752	rusu.exe	Explorer.EXE
PID 752 wrote to memory of 1228	752	rusu.exe	Explorer.EXE
PID 752 wrote to memory of 1228	752	rusu.exe	Explorer.EXE
PID 752 wrote to memory of 1228	752	rusu.exe	Explorer.EXE
PID 752 wrote to memory of 1228	752	rusu.exe	Explorer.EXE
PID 752 wrote to memory of 1060	752	rusu.exe	cmd.exe
PID 752 wrote to memory of 1060	752	rusu.exe	cmd.exe
PID 752 wrote to memory of 1060	752	rusu.exe	cmd.exe
PID 752 wrote to memory of 1060	752	rusu.exe	cmd.exe
PID 752 wrote to memory of 1060	752	rusu.exe	cmd.exe
PID 752 wrote to memory of 1048	752	rusu.exe	conhost.exe
PID 752 wrote to memory of 1048	752	rusu.exe	conhost.exe
PID 752 wrote to memory of 1048	752	rusu.exe	conhost.exe
PID 752 wrote to memory of 1844	752	rusu.exe	DllHost.exe
PID 752 wrote to memory of 1844	752	rusu.exe	DllHost.exe
PID 752 wrote to memory of 1844	752	rusu.exe	DllHost.exe
PID 752 wrote to memory of 1844	752	rusu.exe	DllHost.exe
PID 752 wrote to memory of 1844	752	rusu.exe	DllHost.exe
PID 752 wrote to memory of 1884	752	rusu.exe	DllHost.exe
PID 752 wrote to memory of 1884	752	rusu.exe	DllHost.exe
PID 752 wrote to memory of 1884	752	rusu.exe	DllHost.exe
PID 752 wrote to memory of 1884	752	rusu.exe	DllHost.exe
PID 752 wrote to memory of 1884	752	rusu.exe	DllHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

uncategorized_1.2.0.1.vir.exe

description pid process

Token: SeSecurityPrivilege 1560 uncategorized_1.2.0.1.vir.exe
Loads dropped DLL 2 IoCs

Processes:

uncategorized_1.2.0.1.vir.exe

pid process

1560 uncategorized_1.2.0.1.vir.exe
1560 uncategorized_1.2.0.1.vir.exe
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

description	pid	process
Token: SeSecurityPrivilege	1560	uncategorized_1.2.0.1.vir.exe

pid	process
1560	uncategorized_1.2.0.1.vir.exe
1560	uncategorized_1.2.0.1.vir.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

uncategorized_1.2.0.1.vir.exerusu.exe

description	pid	process	target process
PID 1496 set thread context of 1560	1496	uncategorized_1.2.0.1.vir.exe	uncategorized_1.2.0.1.vir.exe
PID 304 set thread context of 752	304	rusu.exe	rusu.exe

Executes dropped EXE 2 IoCs

Processes:

rusu.exerusu.exe

pid process

304 rusu.exe
752 rusu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1060 cmd.exe

pid	process
304	rusu.exe
752	rusu.exe

pid	process
1060	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1080

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\uncategorized_1.2.0.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\uncategorized_1.2.0.1.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1496

C:\Users\Admin\AppData\Local\Temp\uncategorized_1.2.0.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\uncategorized_1.2.0.1.vir.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
PID:1560

C:\Users\Admin\AppData\Roaming\Gekih\rusu.exe
"C:\Users\Admin\AppData\Roaming\Gekih\rusu.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:304

C:\Users\Admin\AppData\Roaming\Gekih\rusu.exe
"C:\Users\Admin\AppData\Roaming\Gekih\rusu.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpeac0bbda.bat"
4⤵
- Deletes itself
PID:1060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-673675417-195247640-1200046112-255127308-147935301413437546182064997743-1990493065"
1⤵
PID:1048

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1844

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpeac0bbda.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Gekih\rusu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Gekih\rusu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Gekih\rusu.exe

Download Submit
\Users\Admin\AppData\Roaming\Gekih\rusu.exe

Download Submit
\Users\Admin\AppData\Roaming\Gekih\rusu.exe

Download Submit
memory/304-5-0x0000000000000000-mapping.dmp

Download
memory/752-9-0x0000000000415D3E-mapping.dmp

Download
memory/1060-12-0x0000000000000000-mapping.dmp

Download
memory/1060-13-0x0000000000000000-mapping.dmp

Download
memory/1560-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1560-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1560-1-0x0000000000415D3E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads