9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
Size

823KB
MD5

6a1d04294a323aced762cb4023946f02
SHA1

f7c92ef40d506c9fbe625560c080ea21414a9f20
SHA256

9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb
SHA512

25bfd60fc41260d8438460546358706b691194e85f8695efcda2bf400ab8591c2f1c6e9e32307de2a13779c70d3db4a5983ebb38e2f1fe707f04b5815fa41d95
SSDEEP

12288:ymi/oGGwH/BTqATt9IGeIm0JFg7qFhZjGgxGwPUD0INtcs9w7Ju+esTCmKkUUJ:5i/oMHZ1fm0s0agxGwfINyz7R2m3UG

Score

8^/10

aspackv2 bootkit persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000d000000022f3f-139.dat	aspack_v212_v242
behavioral2/files/0x000d000000022f3f-140.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f52-147.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f50-154.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f52-157.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f52-156.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2556	f240576484.exe
4968	datztg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe

Loads dropped DLL 3 IoCs

pid	Process
3956	regsvr32.exe
2556	f240576484.exe
4968	datztg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winsync = "C:\\Windows\\system32\\datztg.exe reg_run"	f240576484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winsync = "C:\\Windows\\system32\\datztg.exe reg_run"	datztg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
File opened for modification	\??\PhysicalDrive0	f240576484.exe
File opened for modification	\??\PhysicalDrive0	datztg.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\licncxr.dll	f240576484.exe
File created	C:\Windows\SysWOW64\vgactl.cpl	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	regsvr32.exe
File created	C:\Windows\SysWOW64\kfmkm.dll	f240576484.exe
File opened for modification	C:\Windows\SysWOW64\kfmkm.dll	datztg.exe
File created	C:\Windows\SysWOW64\dbaqaxn.exe	f240576484.exe
File opened for modification	C:\Windows\SysWOW64\licncxr.dll	datztg.exe
File opened for modification	C:\Windows\SysWOW64\dbaqaxn.exe	datztg.exe
File created	C:\Windows\SysWOW64\wuauclt.dll	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
File created	C:\Windows\SysWOW64\wpuyu.dat	f240576484.exe
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	datztg.exe
File created	C:\Windows\SysWOW64\datztg.exe	datztg.exe
File created	C:\Windows\SysWOW64\wpuyu.dat	datztg.exe
File created	C:\Windows\SysWOW64\datztg.exe	f240576484.exe
File opened for modification	C:\Windows\SysWOW64\datztg.exe	f240576484.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\nvcwce.dat	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
File created	C:\Windows\trpcp.dll	f240576484.exe
File opened for modification	C:\Windows\trpcp.dll	f240576484.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f240576484.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f240576484.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	f240576484.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	datztg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	datztg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	datztg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	f240576484.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	datztg.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\CLSID = "{6EC11407-5B2E-4E25-8BDF-77445B52AB37}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\MenuText = "Java"	regsvr32.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "Columns class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2350234-cee7-435a-98c2-c85bb42ed186}\ProgId\ = "oexjxfeu.class"	f240576484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mfykysnt	f240576484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6b0cf580-8057-4f14-b1eb-35e125d58fd6}\InProcServer32\ = "C:\\Windows\\SysWow64\\kfmkm.dll"	datztg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6b0cf580-8057-4f14-b1eb-35e125d58fd6}\ProgId\ = "oexjxfeu.class"	datztg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mfykysnt	datztg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mfykysnt\ = "{f2350234-cee7-435a-98c2-c85bb42ed186}"	f240576484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId\ = "Columns class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2350234-cee7-435a-98c2-c85bb42ed186}	f240576484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2350234-cee7-435a-98c2-c85bb42ed186}\ProgId	f240576484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6b0cf580-8057-4f14-b1eb-35e125d58fd6}\InProcServer32	datztg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6b0cf580-8057-4f14-b1eb-35e125d58fd6}\InProcServer32\ThreadingModel = "Apartment"	datztg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ = "C:\\Windows\\SysWow64\\wuauclt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2350234-cee7-435a-98c2-c85bb42ed186}\ = "oexjxfeu.class"	f240576484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2350234-cee7-435a-98c2-c85bb42ed186}\InProcServer32	f240576484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6b0cf580-8057-4f14-b1eb-35e125d58fd6}\ = "oexjxfeu.class"	datztg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6b0cf580-8057-4f14-b1eb-35e125d58fd6}\ProgId	datztg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "{6EC11407-5B2E-4E25-8BDF-77445B52AB37}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2350234-cee7-435a-98c2-c85bb42ed186}\InProcServer32\ThreadingModel = "Apartment"	f240576484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2350234-cee7-435a-98c2-c85bb42ed186}\InProcServer32\ = "C:\\Windows\\SysWow64\\kfmkm.dll"	f240576484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6b0cf580-8057-4f14-b1eb-35e125d58fd6}	datztg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mfykysnt\ = "{6b0cf580-8057-4f14-b1eb-35e125d58fd6}"	datztg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 3956	3312	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	79
PID 3312 wrote to memory of 3956	3312	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	79
PID 3312 wrote to memory of 3956	3312	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	79
PID 3312 wrote to memory of 2556	3312	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	80
PID 3312 wrote to memory of 2556	3312	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	80
PID 3312 wrote to memory of 2556	3312	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	80
PID 2556 wrote to memory of 4968	2556	f240576484.exe	81
PID 2556 wrote to memory of 4968	2556	f240576484.exe	81
PID 2556 wrote to memory of 4968	2556	f240576484.exe	81

C:\Users\Admin\AppData\Local\Temp\9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
"C:\Users\Admin\AppData\Local\Temp\9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\wuauclt.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:3956
- C:\Users\Admin\AppData\Local\Temp\f240576484.exe
  "C:\Users\Admin\AppData\Local\Temp\f240576484.exe" first_run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\datztg.exe
    first_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - Checks processor information in registry
    - Modifies registry class
    PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f240576484.exe

Filesize
458KB

MD5
a45be0d070560ede89a8fe489ff23c75

SHA1
a306186ff34f3381b8b79ec05dd382a5ae71297a

SHA256
9e640592b917e6aa0108cb050fc2c30ae420f44c9abb333c58a301e60ba6309e

SHA512
1b1eae5fcfb18c951032b9ba74e5ffe8b2f2c4de203c6c7110453731793f3a4b6f94dc4eb9ed6a29b842de49493000c373e1b9ac631901087f6054e47df261e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\f240576484.exe

Filesize
458KB

MD5
a45be0d070560ede89a8fe489ff23c75

SHA1
a306186ff34f3381b8b79ec05dd382a5ae71297a

SHA256
9e640592b917e6aa0108cb050fc2c30ae420f44c9abb333c58a301e60ba6309e

SHA512
1b1eae5fcfb18c951032b9ba74e5ffe8b2f2c4de203c6c7110453731793f3a4b6f94dc4eb9ed6a29b842de49493000c373e1b9ac631901087f6054e47df261e3

Download Submit
C:\Windows\SysWOW64\datztg.exe

Filesize
458KB

MD5
a45be0d070560ede89a8fe489ff23c75

SHA1
a306186ff34f3381b8b79ec05dd382a5ae71297a

SHA256
9e640592b917e6aa0108cb050fc2c30ae420f44c9abb333c58a301e60ba6309e

SHA512
1b1eae5fcfb18c951032b9ba74e5ffe8b2f2c4de203c6c7110453731793f3a4b6f94dc4eb9ed6a29b842de49493000c373e1b9ac631901087f6054e47df261e3

Download Submit
C:\Windows\SysWOW64\datztg.exe

Filesize
458KB

MD5
a45be0d070560ede89a8fe489ff23c75

SHA1
a306186ff34f3381b8b79ec05dd382a5ae71297a

SHA256
9e640592b917e6aa0108cb050fc2c30ae420f44c9abb333c58a301e60ba6309e

SHA512
1b1eae5fcfb18c951032b9ba74e5ffe8b2f2c4de203c6c7110453731793f3a4b6f94dc4eb9ed6a29b842de49493000c373e1b9ac631901087f6054e47df261e3

Download Submit
C:\Windows\SysWOW64\dbaqaxn.exe

Filesize
163KB

MD5
eabbb6f57dac51f65b7fa7ad44dc0c85

SHA1
70b89bb6eda284e71271f35497f0309cde69fea7

SHA256
7907745f5df59442b6a80ceb8dfbcbf139c41580e5cfad5969c92090b0e711fa

SHA512
fb57dad1ca7957ff11bd915e66035380daf0ab2c78c41592bc0c5b6f326b138940737279e04248497fc58972a805fd5d7583a917f59dfc40b84e3cd2f093ecd3

Download Submit
C:\Windows\SysWOW64\kfmkm.dll

Filesize
130KB

MD5
78d4c669c1f3268b6cfc493e08df9d20

SHA1
bc54b50630a72c86d503f435459112cac1aa9989

SHA256
484e60c78e02266e8857f95511c3f2b2a7714020051b615fc5c8e6c6b1a4c5b7

SHA512
5a6b2904648337b6d32cc42f6aa45733c39f0a3590a2fb8547fc02f367fc882c046ade108e159c07d3f484e37118d4894972b1edf99546ce898f762355712a34

Download Submit
C:\Windows\SysWOW64\kfmkm.dll

Filesize
130KB

MD5
78d4c669c1f3268b6cfc493e08df9d20

SHA1
bc54b50630a72c86d503f435459112cac1aa9989

SHA256
484e60c78e02266e8857f95511c3f2b2a7714020051b615fc5c8e6c6b1a4c5b7

SHA512
5a6b2904648337b6d32cc42f6aa45733c39f0a3590a2fb8547fc02f367fc882c046ade108e159c07d3f484e37118d4894972b1edf99546ce898f762355712a34

Download Submit
C:\Windows\SysWOW64\kfmkm.dll

Filesize
130KB

MD5
78d4c669c1f3268b6cfc493e08df9d20

SHA1
bc54b50630a72c86d503f435459112cac1aa9989

SHA256
484e60c78e02266e8857f95511c3f2b2a7714020051b615fc5c8e6c6b1a4c5b7

SHA512
5a6b2904648337b6d32cc42f6aa45733c39f0a3590a2fb8547fc02f367fc882c046ade108e159c07d3f484e37118d4894972b1edf99546ce898f762355712a34

Download Submit
C:\Windows\SysWOW64\licncxr.dll

Filesize
176KB

MD5
e1900e1e64c730073c74c7bd72ef8f3e

SHA1
f2a2faf02d532bf9f2c209d349c580f4525ad19a

SHA256
b792a3a2b46072f6c0ef11cc0e0b4366af25a4a43e5a94476b6e387e765a1e25

SHA512
9256d304e6cfb52a070276d026eb86eec713fa6054092e9d977a5b734f240cc8d767f7f1117347fe4c50f516736339e34839d7614fd603eef4d4a797e1cd0722

Download Submit
C:\Windows\SysWOW64\wuauclt.dll

Filesize
156KB

MD5
6451095f639ab38909988e41432f1a43

SHA1
0d5839203d8b31bb23ab5746019ea45b5545da2c

SHA256
34ce0665cbd0125173995e8051ee5a62dbadeeb6041a1da1b74811db0a41311e

SHA512
cc008c301865028adee899f80223491dd2439bcb812cc66869d1c28d1cb75427c93b3248e2718ab4abef9b5d5895e33cb4f4f3fa24cd302760055dcee4fef7e2

Download Submit
C:\Windows\SysWOW64\wuauclt.dll

Filesize
156KB

MD5
6451095f639ab38909988e41432f1a43

SHA1
0d5839203d8b31bb23ab5746019ea45b5545da2c

SHA256
34ce0665cbd0125173995e8051ee5a62dbadeeb6041a1da1b74811db0a41311e

SHA512
cc008c301865028adee899f80223491dd2439bcb812cc66869d1c28d1cb75427c93b3248e2718ab4abef9b5d5895e33cb4f4f3fa24cd302760055dcee4fef7e2

Download Submit
C:\Windows\trpcp.dll

Filesize
33B

MD5
1973544325e3066680b6f20e280ddbd2

SHA1
10250de04433cc0f0e1a7fbedbb2a71ab4f2268c

SHA256
40e1440dc4ab1551f9056409474100946034aec45b32a37993f1b55fedfa5b3d

SHA512
5d717b140f38347339f06e2dd255227a6d58ffa87d7fce458661614b4d401e739baf1df837fe0c30f07d585a823c864186c75a304a841324d543bb3b00fad614

Download Submit
memory/2556-152-0x0000000000AB0000-0x0000000000AF2000-memory.dmp

Filesize
264KB

Download
memory/2556-143-0x0000000002480000-0x0000000002485000-memory.dmp

Filesize
20KB

Download
memory/2556-142-0x0000000000AB0000-0x0000000000AF2000-memory.dmp

Filesize
264KB

Download
memory/2556-144-0x0000000002470000-0x0000000002475000-memory.dmp

Filesize
20KB

Download
memory/2556-141-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2556-151-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3312-132-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3312-161-0x0000000000CD0000-0x0000000000D12000-memory.dmp

Filesize
264KB

Download
memory/3312-134-0x00000000024D0000-0x00000000024D5000-memory.dmp

Filesize
20KB

Download
memory/3312-133-0x0000000000CD0000-0x0000000000D12000-memory.dmp

Filesize
264KB

Download
memory/3312-160-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3956-146-0x00000000029B0000-0x00000000029F2000-memory.dmp

Filesize
264KB

Download
memory/3956-145-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download
memory/3956-163-0x00000000029B0000-0x00000000029F2000-memory.dmp

Filesize
264KB

Download
memory/4968-162-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4968-159-0x0000000002330000-0x0000000002335000-memory.dmp

Filesize
20KB

Download
memory/4968-158-0x0000000002010000-0x0000000002052000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads