8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

Analysis

max time kernel
174s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe
Size

519KB
MD5

5d25fac49860ba271904ab1bf7b3a3e9
SHA1

8fae1aa5a01b39252b713a3364925d5430d6e56a
SHA256

8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88
SHA512

e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d
SSDEEP

12288:pHuy6uI17ZFaRfXR9TD2pLh7QH0wJ0X2ppGqvplz+cjvWBjYoS:tOR+XR9TD2pL1QH22pIqpl+o

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\cge\crgen.exe = "C:\\Users\\Admin\\AppData\\Roaming\\cge\\crgen.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\crgen.exe = "C:\\Users\\Admin\\AppData\\Roaming\\crgen.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 4 IoCs

pid	Process
2384	XVuxh.EXE
4048	crgen.exe
332	crgen.exe
1732	crgen.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e5d-136.dat	upx
behavioral2/files/0x0006000000022e5d-137.dat	upx
behavioral2/memory/2384-138-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/332-150-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/332-155-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/332-153-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/332-173-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/2384-177-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/332-178-0x0000000000400000-0x0000000000474000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgs = "C:\\Users\\Admin\\AppData\\Roaming\\cge\\crgen.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4048 set thread context of 332	4048	crgen.exe	86
PID 4048 set thread context of 1732	4048	crgen.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4208	reg.exe
524	reg.exe
1468	reg.exe
1708	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	332	crgen.exe
Token: SeCreateTokenPrivilege	332	crgen.exe
Token: SeAssignPrimaryTokenPrivilege	332	crgen.exe
Token: SeLockMemoryPrivilege	332	crgen.exe
Token: SeIncreaseQuotaPrivilege	332	crgen.exe
Token: SeMachineAccountPrivilege	332	crgen.exe
Token: SeTcbPrivilege	332	crgen.exe
Token: SeSecurityPrivilege	332	crgen.exe
Token: SeTakeOwnershipPrivilege	332	crgen.exe
Token: SeLoadDriverPrivilege	332	crgen.exe
Token: SeSystemProfilePrivilege	332	crgen.exe
Token: SeSystemtimePrivilege	332	crgen.exe
Token: SeProfSingleProcessPrivilege	332	crgen.exe
Token: SeIncBasePriorityPrivilege	332	crgen.exe
Token: SeCreatePagefilePrivilege	332	crgen.exe
Token: SeCreatePermanentPrivilege	332	crgen.exe
Token: SeBackupPrivilege	332	crgen.exe
Token: SeRestorePrivilege	332	crgen.exe
Token: SeShutdownPrivilege	332	crgen.exe
Token: SeDebugPrivilege	332	crgen.exe
Token: SeAuditPrivilege	332	crgen.exe
Token: SeSystemEnvironmentPrivilege	332	crgen.exe
Token: SeChangeNotifyPrivilege	332	crgen.exe
Token: SeRemoteShutdownPrivilege	332	crgen.exe
Token: SeUndockPrivilege	332	crgen.exe
Token: SeSyncAgentPrivilege	332	crgen.exe
Token: SeEnableDelegationPrivilege	332	crgen.exe
Token: SeManageVolumePrivilege	332	crgen.exe
Token: SeImpersonatePrivilege	332	crgen.exe
Token: SeCreateGlobalPrivilege	332	crgen.exe
Token: 31	332	crgen.exe
Token: 32	332	crgen.exe
Token: 33	332	crgen.exe
Token: 34	332	crgen.exe
Token: 35	332	crgen.exe
Token: SeDebugPrivilege	1732	crgen.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2384	XVuxh.EXE
2384	XVuxh.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2384	XVuxh.EXE
2384	XVuxh.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1408	8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe
2384	XVuxh.EXE
2384	XVuxh.EXE
4048	crgen.exe
332	crgen.exe
332	crgen.exe
1732	crgen.exe
332	crgen.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 2384	1408	8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe	80
PID 1408 wrote to memory of 2384	1408	8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe	80
PID 1408 wrote to memory of 2384	1408	8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe	80
PID 1408 wrote to memory of 1544	1408	8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe	82
PID 1408 wrote to memory of 1544	1408	8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe	82
PID 1408 wrote to memory of 1544	1408	8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe	82
PID 1544 wrote to memory of 4328	1544	cmd.exe	84
PID 1544 wrote to memory of 4328	1544	cmd.exe	84
PID 1544 wrote to memory of 4328	1544	cmd.exe	84
PID 1408 wrote to memory of 4048	1408	8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe	85
PID 1408 wrote to memory of 4048	1408	8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe	85
PID 1408 wrote to memory of 4048	1408	8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe	85
PID 4048 wrote to memory of 332	4048	crgen.exe	86
PID 4048 wrote to memory of 332	4048	crgen.exe	86
PID 4048 wrote to memory of 332	4048	crgen.exe	86
PID 4048 wrote to memory of 332	4048	crgen.exe	86
PID 4048 wrote to memory of 332	4048	crgen.exe	86
PID 4048 wrote to memory of 332	4048	crgen.exe	86
PID 4048 wrote to memory of 332	4048	crgen.exe	86
PID 4048 wrote to memory of 332	4048	crgen.exe	86
PID 4048 wrote to memory of 1732	4048	crgen.exe	87
PID 4048 wrote to memory of 1732	4048	crgen.exe	87
PID 4048 wrote to memory of 1732	4048	crgen.exe	87
PID 4048 wrote to memory of 1732	4048	crgen.exe	87
PID 4048 wrote to memory of 1732	4048	crgen.exe	87
PID 4048 wrote to memory of 1732	4048	crgen.exe	87
PID 4048 wrote to memory of 1732	4048	crgen.exe	87
PID 332 wrote to memory of 2588	332	crgen.exe	90
PID 332 wrote to memory of 2588	332	crgen.exe	90
PID 332 wrote to memory of 2588	332	crgen.exe	90
PID 332 wrote to memory of 3760	332	crgen.exe	89
PID 332 wrote to memory of 3760	332	crgen.exe	89
PID 332 wrote to memory of 3760	332	crgen.exe	89
PID 332 wrote to memory of 3904	332	crgen.exe	97
PID 332 wrote to memory of 3904	332	crgen.exe	97
PID 332 wrote to memory of 3904	332	crgen.exe	97
PID 332 wrote to memory of 2132	332	crgen.exe	95
PID 332 wrote to memory of 2132	332	crgen.exe	95
PID 332 wrote to memory of 2132	332	crgen.exe	95
PID 2588 wrote to memory of 4208	2588	cmd.exe	94
PID 2588 wrote to memory of 4208	2588	cmd.exe	94
PID 2588 wrote to memory of 4208	2588	cmd.exe	94
PID 2132 wrote to memory of 524	2132	cmd.exe	98
PID 2132 wrote to memory of 524	2132	cmd.exe	98
PID 2132 wrote to memory of 524	2132	cmd.exe	98
PID 3904 wrote to memory of 1708	3904	cmd.exe	100
PID 3904 wrote to memory of 1708	3904	cmd.exe	100
PID 3904 wrote to memory of 1708	3904	cmd.exe	100
PID 3760 wrote to memory of 1468	3760	cmd.exe	99
PID 3760 wrote to memory of 1468	3760	cmd.exe	99
PID 3760 wrote to memory of 1468	3760	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe
"C:\Users\Admin\AppData\Local\Temp\8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1408
- C:\XVuxh.EXE
  "C:\XVuxh.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suyhE.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "cgs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cge\crgen.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4328
- C:\Users\Admin\AppData\Roaming\cge\crgen.exe
  "C:\Users\Admin\AppData\Roaming\cge\crgen.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Users\Admin\AppData\Roaming\cge\crgen.exe
    C:\Users\Admin\AppData\Roaming\cge\crgen.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\cge\crgen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cge\crgen.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3760
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\cge\crgen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cge\crgen.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1468
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\crgen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\crgen.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\crgen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\crgen.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:524
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3904
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1708
- - C:\Users\Admin\AppData\Roaming\cge\crgen.exe
    C:\Users\Admin\AppData\Roaming\cge\crgen.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\suyhE.bat

Filesize
132B

MD5
868bec696e993871ab22e39997b9a211

SHA1
89cba2b6d5867f08b605b08f90ac11d87ff1e042

SHA256
52101e8b6b1f463e825430d299b5dfdd6235ada62df93c2c30154a166cf09693

SHA512
a2a91cf48bea9a95d47e6811c05934980c7cbaa72610be0093eee9ba1a35b2513547577c12ef58bddb887f3dfc013bad5824e3169ebe2780f2ccb223175cee1d

Download Submit
C:\Users\Admin\AppData\Roaming\cge\crgen.exe

Filesize
519KB

MD5
5d25fac49860ba271904ab1bf7b3a3e9

SHA1
8fae1aa5a01b39252b713a3364925d5430d6e56a

SHA256
8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

SHA512
e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

Download Submit
C:\Users\Admin\AppData\Roaming\cge\crgen.exe

Filesize
519KB

MD5
5d25fac49860ba271904ab1bf7b3a3e9

SHA1
8fae1aa5a01b39252b713a3364925d5430d6e56a

SHA256
8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

SHA512
e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

Download Submit
C:\Users\Admin\AppData\Roaming\cge\crgen.exe

Filesize
519KB

MD5
5d25fac49860ba271904ab1bf7b3a3e9

SHA1
8fae1aa5a01b39252b713a3364925d5430d6e56a

SHA256
8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

SHA512
e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

Download Submit
C:\Users\Admin\AppData\Roaming\cge\crgen.exe

Filesize
519KB

MD5
5d25fac49860ba271904ab1bf7b3a3e9

SHA1
8fae1aa5a01b39252b713a3364925d5430d6e56a

SHA256
8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

SHA512
e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

Download Submit
C:\XVuxh.EXE

Filesize
70KB

MD5
0433471d11abf320dbf44ac874b47596

SHA1
a647632a352ab64a51772da91364f3ae0cbb5369

SHA256
8a9640b6b83a32a6ad8247bfa155e4885edcd59ce3cead8bcf189667a48826f2

SHA512
84afd9cca3120dd0cceca08e7012ad7a54e5b8a65e8468a8104f5c3a9d1a9cd6ff289a396ffdbfc731dfc2af50501e12b49e23757f6eb39cf005af0831d84657

Download Submit
C:\XVuxh.EXE

Filesize
70KB

MD5
0433471d11abf320dbf44ac874b47596

SHA1
a647632a352ab64a51772da91364f3ae0cbb5369

SHA256
8a9640b6b83a32a6ad8247bfa155e4885edcd59ce3cead8bcf189667a48826f2

SHA512
84afd9cca3120dd0cceca08e7012ad7a54e5b8a65e8468a8104f5c3a9d1a9cd6ff289a396ffdbfc731dfc2af50501e12b49e23757f6eb39cf005af0831d84657

Download Submit
memory/332-155-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/332-178-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/332-153-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/332-150-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/332-173-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1408-145-0x0000000000400000-0x0000000000A68000-memory.dmp

Filesize
6.4MB

Download
memory/1408-132-0x0000000000400000-0x0000000000A68000-memory.dmp

Filesize
6.4MB

Download
memory/1732-156-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1732-172-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1732-163-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1732-162-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2384-138-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2384-177-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4048-148-0x0000000000400000-0x0000000000A68000-memory.dmp

Filesize
6.4MB

Download
memory/4048-164-0x0000000000400000-0x0000000000A68000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads