bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6

Analysis

max time kernel
156s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe
Size

429KB
MD5

fa24ca7f34805428e8dccee3b6db4b01
SHA1

09d460182c9aa792b4a4ce73173ed9199406d2fd
SHA256

bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6
SHA512

c68b55bf61a55d9bada516ebeca5c8557c32ee44c5daf19b9588664dfc61b3770641be7ce81827f07fddbccf38e073b809674a886f8f72398c99707cc28b501e
SSDEEP

6144:LPnQWkBXeh5rncXuYn/TMsCyuN4+euudt/YwN1+OSkMTeoYQn3Pxn1cx8Yt6UIIr:LnoX9eY/0yuNUtQw7+OSkMlT/zcx8PUZ

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

roedou.exevTtBgWGM.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	roedou.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vTtBgWGM.exe

Executes dropped EXE 4 IoCs

Processes:

vTtBgWGM.exewog.exewoh.exeroedou.exe

pid process

1600 vTtBgWGM.exe
1336 wog.exe
1732 woh.exe
876 roedou.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1480 cmd.exe

pid	process
1480	cmd.exe

Loads dropped DLL 8 IoCs

Processes:

bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exevTtBgWGM.exe

pid	process
1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe
1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe
1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe
1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe
1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe
1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe
1600	vTtBgWGM.exe
1600	vTtBgWGM.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

roedou.exevTtBgWGM.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\roedou = "C:\\Users\\Admin\\roedou.exe /h"	roedou.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	roedou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\roedou = "C:\\Users\\Admin\\roedou.exe /i"	roedou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\roedou = "C:\\Users\\Admin\\roedou.exe /V"	roedou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\roedou = "C:\\Users\\Admin\\roedou.exe /F"	roedou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\roedou = "C:\\Users\\Admin\\roedou.exe /S"	roedou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\roedou = "C:\\Users\\Admin\\roedou.exe /v"	roedou.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vTtBgWGM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\roedou = "C:\\Users\\Admin\\roedou.exe /Q"	vTtBgWGM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\roedou = "C:\\Users\\Admin\\roedou.exe /C"	roedou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\roedou = "C:\\Users\\Admin\\roedou.exe /r"	roedou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\roedou = "C:\\Users\\Admin\\roedou.exe /J"	roedou.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

wog.exe

description ioc process

File opened for modification \??\physicaldrive0 wog.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

752 tasklist.exe

description	ioc	process
File opened for modification	\??\physicaldrive0	wog.exe

pid	process
752	tasklist.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

vTtBgWGM.exeroedou.exe

pid	process
1600	vTtBgWGM.exe
1600	vTtBgWGM.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe
876	roedou.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wog.exetasklist.exe

description pid process

Token: SeShutdownPrivilege 1336 wog.exe
Token: SeDebugPrivilege 752 tasklist.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vTtBgWGM.exeroedou.exe

pid process

1600 vTtBgWGM.exe
876 roedou.exe

description	pid	process
Token: SeShutdownPrivilege	1336	wog.exe
Token: SeDebugPrivilege	752	tasklist.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exevTtBgWGM.execmd.exeroedou.exe

description	pid	process	target process
PID 1648 wrote to memory of 1600	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	vTtBgWGM.exe
PID 1648 wrote to memory of 1600	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	vTtBgWGM.exe
PID 1648 wrote to memory of 1600	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	vTtBgWGM.exe
PID 1648 wrote to memory of 1600	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	vTtBgWGM.exe
PID 1648 wrote to memory of 1336	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	wog.exe
PID 1648 wrote to memory of 1336	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	wog.exe
PID 1648 wrote to memory of 1336	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	wog.exe
PID 1648 wrote to memory of 1336	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	wog.exe
PID 1648 wrote to memory of 1732	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	woh.exe
PID 1648 wrote to memory of 1732	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	woh.exe
PID 1648 wrote to memory of 1732	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	woh.exe
PID 1648 wrote to memory of 1732	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	woh.exe
PID 1648 wrote to memory of 1480	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	cmd.exe
PID 1648 wrote to memory of 1480	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	cmd.exe
PID 1648 wrote to memory of 1480	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	cmd.exe
PID 1648 wrote to memory of 1480	1648	bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe	cmd.exe
PID 1600 wrote to memory of 876	1600	vTtBgWGM.exe	roedou.exe
PID 1600 wrote to memory of 876	1600	vTtBgWGM.exe	roedou.exe
PID 1600 wrote to memory of 876	1600	vTtBgWGM.exe	roedou.exe
PID 1600 wrote to memory of 876	1600	vTtBgWGM.exe	roedou.exe
PID 1600 wrote to memory of 1692	1600	vTtBgWGM.exe	cmd.exe
PID 1600 wrote to memory of 1692	1600	vTtBgWGM.exe	cmd.exe
PID 1600 wrote to memory of 1692	1600	vTtBgWGM.exe	cmd.exe
PID 1600 wrote to memory of 1692	1600	vTtBgWGM.exe	cmd.exe
PID 1692 wrote to memory of 752	1692	cmd.exe	tasklist.exe
PID 1692 wrote to memory of 752	1692	cmd.exe	tasklist.exe
PID 1692 wrote to memory of 752	1692	cmd.exe	tasklist.exe
PID 1692 wrote to memory of 752	1692	cmd.exe	tasklist.exe
PID 876 wrote to memory of 752	876	roedou.exe	tasklist.exe
PID 876 wrote to memory of 752	876	roedou.exe	tasklist.exe
PID 876 wrote to memory of 752	876	roedou.exe	tasklist.exe
PID 876 wrote to memory of 752	876	roedou.exe	tasklist.exe
PID 876 wrote to memory of 752	876	roedou.exe	tasklist.exe
PID 876 wrote to memory of 752	876	roedou.exe	tasklist.exe
PID 876 wrote to memory of 752	876	roedou.exe	tasklist.exe
PID 876 wrote to memory of 752	876	roedou.exe	tasklist.exe
PID 876 wrote to memory of 752	876	roedou.exe	tasklist.exe
PID 876 wrote to memory of 752	876	roedou.exe	tasklist.exe
PID 876 wrote to memory of 752	876	roedou.exe	tasklist.exe
PID 876 wrote to memory of 752	876	roedou.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe
"C:\Users\Admin\AppData\Local\Temp\bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\vTtBgWGM.exe
vTtBgWGM.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\roedou.exe
"C:\Users\Admin\roedou.exe"
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del vTtBgWGM.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Users\Admin\wog.exe
wog.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Users\Admin\woh.exe
woh.exe
2⤵
- Executes dropped EXE
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c del bbe1ad988b8b3193c4354b3bce2db47a0fe9c78f26cf14d49a3dbd1f7806cac6.exe
2⤵
- Deletes itself
PID:1480

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\roedou.exe
Filesize
152KB

MD5
7dc1075a89957c969b3953544bc4e688

SHA1
1682b8bd90c65f7ba6bcb2aa69da90a2309bfe33

SHA256
5622fd59b93a5b0d08ac7ff0176cb54accb9ff56988f2613dc705a6910e0a57c

SHA512
629b84de6a82d6a0c304f24ceaccf09564eda759edc429c2a5dd126a7c5c5bfa1d246ca374eaf2f3e014a83d2169774b6650040a87b4439675476aec6aaa2df3

Download Submit
C:\Users\Admin\roedou.exe
Filesize
152KB

MD5
7dc1075a89957c969b3953544bc4e688

SHA1
1682b8bd90c65f7ba6bcb2aa69da90a2309bfe33

SHA256
5622fd59b93a5b0d08ac7ff0176cb54accb9ff56988f2613dc705a6910e0a57c

SHA512
629b84de6a82d6a0c304f24ceaccf09564eda759edc429c2a5dd126a7c5c5bfa1d246ca374eaf2f3e014a83d2169774b6650040a87b4439675476aec6aaa2df3

Download Submit
C:\Users\Admin\vTtBgWGM.exe
Filesize
152KB

MD5
44095c5a6c98e49a0f328b29339a8636

SHA1
db2a4f362bf74ec0aee546d5fd9e2dc7ff616808

SHA256
72b4e8cff9d154f72034c4021b9349dcf0c9bddfeddbe9f5170283ace5a85e58

SHA512
d7df51f843ebd07a1ed6a4cc123bd24f667a42ae1f84e602b142680129e32c7f6153c45d2e9dc292d57755963b88a634c23e7eeb274364eb0a98f700b3e2c994

Download Submit
C:\Users\Admin\vTtBgWGM.exe
Filesize
152KB

MD5
44095c5a6c98e49a0f328b29339a8636

SHA1
db2a4f362bf74ec0aee546d5fd9e2dc7ff616808

SHA256
72b4e8cff9d154f72034c4021b9349dcf0c9bddfeddbe9f5170283ace5a85e58

SHA512
d7df51f843ebd07a1ed6a4cc123bd24f667a42ae1f84e602b142680129e32c7f6153c45d2e9dc292d57755963b88a634c23e7eeb274364eb0a98f700b3e2c994

Download Submit
C:\Users\Admin\wog.exe
Filesize
230KB

MD5
447175e54f856165028604829809f782

SHA1
4bfa0fd11fa9d1686fd48bc6a25bd0adb1981243

SHA256
520b0f6027dcde85d26228a9fdae313e83c44c8b93638dde92b1105b32ea7f5a

SHA512
505f25a2ed7fa6adf48d6a39bda30e8383a4147e7b11d5408667beea1b8b75ca9db606eec17e4be82ce004a2a173a014b94e7aaacd25da1f8444ba3f2cfa2bae

Download Submit
C:\Users\Admin\wog.exe
Filesize
230KB

MD5
447175e54f856165028604829809f782

SHA1
4bfa0fd11fa9d1686fd48bc6a25bd0adb1981243

SHA256
520b0f6027dcde85d26228a9fdae313e83c44c8b93638dde92b1105b32ea7f5a

SHA512
505f25a2ed7fa6adf48d6a39bda30e8383a4147e7b11d5408667beea1b8b75ca9db606eec17e4be82ce004a2a173a014b94e7aaacd25da1f8444ba3f2cfa2bae

Download Submit
C:\Users\Admin\woh.exe
Filesize
134KB

MD5
1bff1a8c4777a530bc583d579f280c4d

SHA1
378e0a700ea0f08c780a1225e25cdf1748bf962a

SHA256
57b82873b77d9447b49c68c4dc3d613dcc64e691aee6fb05dbe623972aeccc5a

SHA512
9b018f34d9433b2e7013e72e0a9ad426fbb0babed0bc4efe49df0d1717370d93be1a9926e560c43e7741e006bfe5226bdba001b5f2f8143931575f73ecaf4b42

Download Submit
\Users\Admin\roedou.exe
Filesize
152KB

MD5
7dc1075a89957c969b3953544bc4e688

SHA1
1682b8bd90c65f7ba6bcb2aa69da90a2309bfe33

SHA256
5622fd59b93a5b0d08ac7ff0176cb54accb9ff56988f2613dc705a6910e0a57c

SHA512
629b84de6a82d6a0c304f24ceaccf09564eda759edc429c2a5dd126a7c5c5bfa1d246ca374eaf2f3e014a83d2169774b6650040a87b4439675476aec6aaa2df3

Download Submit
\Users\Admin\roedou.exe
Filesize
152KB

MD5
7dc1075a89957c969b3953544bc4e688

SHA1
1682b8bd90c65f7ba6bcb2aa69da90a2309bfe33

SHA256
5622fd59b93a5b0d08ac7ff0176cb54accb9ff56988f2613dc705a6910e0a57c

SHA512
629b84de6a82d6a0c304f24ceaccf09564eda759edc429c2a5dd126a7c5c5bfa1d246ca374eaf2f3e014a83d2169774b6650040a87b4439675476aec6aaa2df3

Download Submit
\Users\Admin\vTtBgWGM.exe
Filesize
152KB

MD5
44095c5a6c98e49a0f328b29339a8636

SHA1
db2a4f362bf74ec0aee546d5fd9e2dc7ff616808

SHA256
72b4e8cff9d154f72034c4021b9349dcf0c9bddfeddbe9f5170283ace5a85e58

SHA512
d7df51f843ebd07a1ed6a4cc123bd24f667a42ae1f84e602b142680129e32c7f6153c45d2e9dc292d57755963b88a634c23e7eeb274364eb0a98f700b3e2c994

Download Submit
\Users\Admin\vTtBgWGM.exe
Filesize
152KB

MD5
44095c5a6c98e49a0f328b29339a8636

SHA1
db2a4f362bf74ec0aee546d5fd9e2dc7ff616808

SHA256
72b4e8cff9d154f72034c4021b9349dcf0c9bddfeddbe9f5170283ace5a85e58

SHA512
d7df51f843ebd07a1ed6a4cc123bd24f667a42ae1f84e602b142680129e32c7f6153c45d2e9dc292d57755963b88a634c23e7eeb274364eb0a98f700b3e2c994

Download Submit
\Users\Admin\wog.exe
Filesize
230KB

MD5
447175e54f856165028604829809f782

SHA1
4bfa0fd11fa9d1686fd48bc6a25bd0adb1981243

SHA256
520b0f6027dcde85d26228a9fdae313e83c44c8b93638dde92b1105b32ea7f5a

SHA512
505f25a2ed7fa6adf48d6a39bda30e8383a4147e7b11d5408667beea1b8b75ca9db606eec17e4be82ce004a2a173a014b94e7aaacd25da1f8444ba3f2cfa2bae

Download Submit
\Users\Admin\wog.exe
Filesize
230KB

MD5
447175e54f856165028604829809f782

SHA1
4bfa0fd11fa9d1686fd48bc6a25bd0adb1981243

SHA256
520b0f6027dcde85d26228a9fdae313e83c44c8b93638dde92b1105b32ea7f5a

SHA512
505f25a2ed7fa6adf48d6a39bda30e8383a4147e7b11d5408667beea1b8b75ca9db606eec17e4be82ce004a2a173a014b94e7aaacd25da1f8444ba3f2cfa2bae

Download Submit
\Users\Admin\woh.exe
Filesize
134KB

MD5
1bff1a8c4777a530bc583d579f280c4d

SHA1
378e0a700ea0f08c780a1225e25cdf1748bf962a

SHA256
57b82873b77d9447b49c68c4dc3d613dcc64e691aee6fb05dbe623972aeccc5a

SHA512
9b018f34d9433b2e7013e72e0a9ad426fbb0babed0bc4efe49df0d1717370d93be1a9926e560c43e7741e006bfe5226bdba001b5f2f8143931575f73ecaf4b42

Download Submit
\Users\Admin\woh.exe
Filesize
134KB

MD5
1bff1a8c4777a530bc583d579f280c4d

SHA1
378e0a700ea0f08c780a1225e25cdf1748bf962a

SHA256
57b82873b77d9447b49c68c4dc3d613dcc64e691aee6fb05dbe623972aeccc5a

SHA512
9b018f34d9433b2e7013e72e0a9ad426fbb0babed0bc4efe49df0d1717370d93be1a9926e560c43e7741e006bfe5226bdba001b5f2f8143931575f73ecaf4b42

Download Submit
memory/752-87-0x0000000000000000-mapping.dmp

Download
memory/876-78-0x0000000000000000-mapping.dmp

Download
memory/1336-67-0x0000000000470000-0x00000000004D5000-memory.dmp

Filesize
404KB

Download
memory/1336-74-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1336-70-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download
memory/1336-68-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1336-69-0x0000000000470000-0x00000000004D5000-memory.dmp

Filesize
404KB

Download
memory/1336-60-0x0000000000000000-mapping.dmp

Download
memory/1480-71-0x0000000000000000-mapping.dmp

Download
memory/1600-56-0x0000000000000000-mapping.dmp

Download
memory/1692-86-0x0000000000000000-mapping.dmp

Download
memory/1732-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads