51655600c867daf8964b5d78201e40b38d6836231b43dc47fcf43a1cb3163a33

Analysis

max time kernel
169s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51655600c867daf8964b5d78201e40b38d6836231b43dc47fcf43a1cb3163a33.exe
Size

492KB
MD5

849fb8b541b520e3dbec2bd58b39d5ea
SHA1

d8485dce81ff728f58d0632f2ebbddb477766272
SHA256

51655600c867daf8964b5d78201e40b38d6836231b43dc47fcf43a1cb3163a33
SHA512

a07f35eec3b37468f90e900f504d3fad85aa962728dbe97ee41dc566f526465a6c128a3686a7ceab607921f6ae2ba17b962b464d82947b8161b6694d6658bdde
SSDEEP

12288:04MnDQUYUnzgWeclkN8J5pNAKXsbMq/mMlO0WhU:04MLYIgMpNAbMknOjhU

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\moovy.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\moovy.exe = "C:\\Users\\Admin\\AppData\\Roaming\\moovy.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	moovy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\sasa.exe = "C:\\Users\\Admin\\AppData\\Roaming\\moovy.exe"	moovy.exe

Executes dropped EXE 4 IoCs

pid	Process
1420	moovy.exe
3728	moovy.exe
764	moovy.exe
1124	moovy.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{32C0B45E-DE8F-EA2B-EA99-EF6ECDB8EF07}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\moovy.exe"	moovy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32C0B45E-DE8F-EA2B-EA99-EF6ECDB8EF07}	moovy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32C0B45E-DE8F-EA2B-EA99-EF6ECDB8EF07}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\moovy.exe"	moovy.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{32C0B45E-DE8F-EA2B-EA99-EF6ECDB8EF07}	moovy.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d000000022e50-134.dat	upx
behavioral2/files/0x000d000000022e50-135.dat	upx
behavioral2/memory/1420-139-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/3728-141-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/files/0x000d000000022e50-142.dat	upx
behavioral2/memory/1420-145-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/3728-144-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/3728-146-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/files/0x000d000000022e50-148.dat	upx
behavioral2/memory/764-156-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/files/0x000d000000022e50-163.dat	upx
behavioral2/memory/764-164-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/1124-173-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/3728-174-0x0000000000400000-0x0000000000474000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	51655600c867daf8964b5d78201e40b38d6836231b43dc47fcf43a1cb3163a33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	51655600c867daf8964b5d78201e40b38d6836231b43dc47fcf43a1cb3163a33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	moovy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sasa.exe = "C:\\Users\\Admin\\AppData\\Roaming\\moovy.exe"	moovy.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	moovy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sasa.exe = "C:\\Users\\Admin\\AppData\\Roaming\\moovy.exe"	moovy.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	moovy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	moovy.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1420 set thread context of 3728	1420	moovy.exe	83
PID 764 set thread context of 1124	764	moovy.exe	97

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1416	reg.exe
2740	reg.exe
3824	reg.exe
1776	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	3728	moovy.exe
Token: SeCreateTokenPrivilege	3728	moovy.exe
Token: SeAssignPrimaryTokenPrivilege	3728	moovy.exe
Token: SeLockMemoryPrivilege	3728	moovy.exe
Token: SeIncreaseQuotaPrivilege	3728	moovy.exe
Token: SeMachineAccountPrivilege	3728	moovy.exe
Token: SeTcbPrivilege	3728	moovy.exe
Token: SeSecurityPrivilege	3728	moovy.exe
Token: SeTakeOwnershipPrivilege	3728	moovy.exe
Token: SeLoadDriverPrivilege	3728	moovy.exe
Token: SeSystemProfilePrivilege	3728	moovy.exe
Token: SeSystemtimePrivilege	3728	moovy.exe
Token: SeProfSingleProcessPrivilege	3728	moovy.exe
Token: SeIncBasePriorityPrivilege	3728	moovy.exe
Token: SeCreatePagefilePrivilege	3728	moovy.exe
Token: SeCreatePermanentPrivilege	3728	moovy.exe
Token: SeBackupPrivilege	3728	moovy.exe
Token: SeRestorePrivilege	3728	moovy.exe
Token: SeShutdownPrivilege	3728	moovy.exe
Token: SeDebugPrivilege	3728	moovy.exe
Token: SeAuditPrivilege	3728	moovy.exe
Token: SeSystemEnvironmentPrivilege	3728	moovy.exe
Token: SeChangeNotifyPrivilege	3728	moovy.exe
Token: SeRemoteShutdownPrivilege	3728	moovy.exe
Token: SeUndockPrivilege	3728	moovy.exe
Token: SeSyncAgentPrivilege	3728	moovy.exe
Token: SeEnableDelegationPrivilege	3728	moovy.exe
Token: SeManageVolumePrivilege	3728	moovy.exe
Token: SeImpersonatePrivilege	3728	moovy.exe
Token: SeCreateGlobalPrivilege	3728	moovy.exe
Token: 31	3728	moovy.exe
Token: 32	3728	moovy.exe
Token: 33	3728	moovy.exe
Token: 34	3728	moovy.exe
Token: 35	3728	moovy.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3728	moovy.exe
3728	moovy.exe
1124	moovy.exe
1124	moovy.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 1420	4204	51655600c867daf8964b5d78201e40b38d6836231b43dc47fcf43a1cb3163a33.exe	82
PID 4204 wrote to memory of 1420	4204	51655600c867daf8964b5d78201e40b38d6836231b43dc47fcf43a1cb3163a33.exe	82
PID 4204 wrote to memory of 1420	4204	51655600c867daf8964b5d78201e40b38d6836231b43dc47fcf43a1cb3163a33.exe	82
PID 1420 wrote to memory of 3728	1420	moovy.exe	83
PID 1420 wrote to memory of 3728	1420	moovy.exe	83
PID 1420 wrote to memory of 3728	1420	moovy.exe	83
PID 1420 wrote to memory of 3728	1420	moovy.exe	83
PID 1420 wrote to memory of 3728	1420	moovy.exe	83
PID 1420 wrote to memory of 3728	1420	moovy.exe	83
PID 1420 wrote to memory of 3728	1420	moovy.exe	83
PID 1420 wrote to memory of 3728	1420	moovy.exe	83
PID 1420 wrote to memory of 3728	1420	moovy.exe	83
PID 1420 wrote to memory of 3728	1420	moovy.exe	83
PID 4204 wrote to memory of 764	4204	51655600c867daf8964b5d78201e40b38d6836231b43dc47fcf43a1cb3163a33.exe	84
PID 4204 wrote to memory of 764	4204	51655600c867daf8964b5d78201e40b38d6836231b43dc47fcf43a1cb3163a33.exe	84
PID 4204 wrote to memory of 764	4204	51655600c867daf8964b5d78201e40b38d6836231b43dc47fcf43a1cb3163a33.exe	84
PID 3728 wrote to memory of 2372	3728	moovy.exe	85
PID 3728 wrote to memory of 2372	3728	moovy.exe	85
PID 3728 wrote to memory of 2372	3728	moovy.exe	85
PID 3728 wrote to memory of 4660	3728	moovy.exe	86
PID 3728 wrote to memory of 4660	3728	moovy.exe	86
PID 3728 wrote to memory of 4660	3728	moovy.exe	86
PID 3728 wrote to memory of 2348	3728	moovy.exe	87
PID 3728 wrote to memory of 2348	3728	moovy.exe	87
PID 3728 wrote to memory of 2348	3728	moovy.exe	87
PID 3728 wrote to memory of 4364	3728	moovy.exe	88
PID 3728 wrote to memory of 4364	3728	moovy.exe	88
PID 3728 wrote to memory of 4364	3728	moovy.exe	88
PID 4364 wrote to memory of 1416	4364	cmd.exe	93
PID 4364 wrote to memory of 1416	4364	cmd.exe	93
PID 4364 wrote to memory of 1416	4364	cmd.exe	93
PID 2372 wrote to memory of 1776	2372	cmd.exe	96
PID 2372 wrote to memory of 1776	2372	cmd.exe	96
PID 2372 wrote to memory of 1776	2372	cmd.exe	96
PID 2348 wrote to memory of 3824	2348	cmd.exe	95
PID 2348 wrote to memory of 3824	2348	cmd.exe	95
PID 2348 wrote to memory of 3824	2348	cmd.exe	95
PID 4660 wrote to memory of 2740	4660	cmd.exe	94
PID 4660 wrote to memory of 2740	4660	cmd.exe	94
PID 4660 wrote to memory of 2740	4660	cmd.exe	94
PID 764 wrote to memory of 1124	764	moovy.exe	97
PID 764 wrote to memory of 1124	764	moovy.exe	97
PID 764 wrote to memory of 1124	764	moovy.exe	97
PID 764 wrote to memory of 1124	764	moovy.exe	97
PID 764 wrote to memory of 1124	764	moovy.exe	97
PID 764 wrote to memory of 1124	764	moovy.exe	97
PID 764 wrote to memory of 1124	764	moovy.exe	97
PID 764 wrote to memory of 1124	764	moovy.exe	97
PID 764 wrote to memory of 1124	764	moovy.exe	97
PID 764 wrote to memory of 1124	764	moovy.exe	97

C:\Users\Admin\AppData\Local\Temp\51655600c867daf8964b5d78201e40b38d6836231b43dc47fcf43a1cb3163a33.exe
"C:\Users\Admin\AppData\Local\Temp\51655600c867daf8964b5d78201e40b38d6836231b43dc47fcf43a1cb3163a33.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\moovy.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\moovy.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\moovy.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\moovy.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1416
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe

Filesize
339KB

MD5
e47f1b28b94cdf494da950cbd22747b7

SHA1
a23546f5b4a3563b1416a9fc6b69a904a3765728

SHA256
11c76ce80cb3881c5ba22b0d36d0beee8e54dea734d8507b2670fd4da2b3e0a3

SHA512
adf8685978e04f3aede87c2d8cc18fd1443f6d4236dee8a3ca5fd6767e3f395b1f5177f31af0104bcdf7f1f33e0a19e9e02e3e86dd8d38dd4d0ddc2a5762dd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe

Filesize
339KB

MD5
e47f1b28b94cdf494da950cbd22747b7

SHA1
a23546f5b4a3563b1416a9fc6b69a904a3765728

SHA256
11c76ce80cb3881c5ba22b0d36d0beee8e54dea734d8507b2670fd4da2b3e0a3

SHA512
adf8685978e04f3aede87c2d8cc18fd1443f6d4236dee8a3ca5fd6767e3f395b1f5177f31af0104bcdf7f1f33e0a19e9e02e3e86dd8d38dd4d0ddc2a5762dd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe

Filesize
339KB

MD5
e47f1b28b94cdf494da950cbd22747b7

SHA1
a23546f5b4a3563b1416a9fc6b69a904a3765728

SHA256
11c76ce80cb3881c5ba22b0d36d0beee8e54dea734d8507b2670fd4da2b3e0a3

SHA512
adf8685978e04f3aede87c2d8cc18fd1443f6d4236dee8a3ca5fd6767e3f395b1f5177f31af0104bcdf7f1f33e0a19e9e02e3e86dd8d38dd4d0ddc2a5762dd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe

Filesize
339KB

MD5
e47f1b28b94cdf494da950cbd22747b7

SHA1
a23546f5b4a3563b1416a9fc6b69a904a3765728

SHA256
11c76ce80cb3881c5ba22b0d36d0beee8e54dea734d8507b2670fd4da2b3e0a3

SHA512
adf8685978e04f3aede87c2d8cc18fd1443f6d4236dee8a3ca5fd6767e3f395b1f5177f31af0104bcdf7f1f33e0a19e9e02e3e86dd8d38dd4d0ddc2a5762dd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moovy.exe

Filesize
339KB

MD5
e47f1b28b94cdf494da950cbd22747b7

SHA1
a23546f5b4a3563b1416a9fc6b69a904a3765728

SHA256
11c76ce80cb3881c5ba22b0d36d0beee8e54dea734d8507b2670fd4da2b3e0a3

SHA512
adf8685978e04f3aede87c2d8cc18fd1443f6d4236dee8a3ca5fd6767e3f395b1f5177f31af0104bcdf7f1f33e0a19e9e02e3e86dd8d38dd4d0ddc2a5762dd8a

Download Submit
memory/764-156-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/764-164-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1124-173-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1420-145-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1420-139-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3728-141-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3728-174-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3728-146-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3728-144-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4204-132-0x0000000001000000-0x000000000107B000-memory.dmp

Filesize
492KB

Download
memory/4204-138-0x0000000000A00000-0x0000000000A39000-memory.dmp

Filesize
228KB

Download
memory/4204-137-0x0000000000180000-0x0000000000184000-memory.dmp

Filesize
16KB

Download
memory/4204-167-0x0000000001000000-0x000000000107B000-memory.dmp

Filesize
492KB

Download
memory/4204-169-0x0000000000A00000-0x0000000000A39000-memory.dmp

Filesize
228KB

Download
memory/4204-136-0x0000000001000000-0x000000000107B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads