0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b

Analysis

max time kernel
155s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2023 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe
Size

8.5MB
MD5

c98ac1fd83efc87de476f629f6cc85d1
SHA1

4e4515728e4cf44383e0d1cb50fc64b6e943b76c
SHA256

0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b
SHA512

df75e9f18ecb07d6fc0d9bf87502f033d65cba35f87065bd24bc03954217467806c8cb222268a9d5a8bc63cee1b52fd4a6818e183f65ae9f5880a3bbf313bc12
SSDEEP

196608:dHSgTEa0IrU0Z2Y9NcHtNTqc8vQHHCGxP4UjJVTX:F0IrnNOtNTqyCGxAUjL

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022e40-14.dat	acprotect
behavioral2/files/0x0006000000022e40-16.dat	acprotect
behavioral2/files/0x0006000000022e40-18.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
4448	regsvr32.exe
1124	0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe
1124	0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe
1124	0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e40-14.dat	upx
behavioral2/files/0x0006000000022e40-16.dat	upx
behavioral2/memory/1124-19-0x0000000003380000-0x0000000003862000-memory.dmp	upx
behavioral2/files/0x0006000000022e40-18.dat	upx
behavioral2/memory/1124-20-0x0000000003380000-0x0000000003862000-memory.dmp	upx
behavioral2/memory/1124-27-0x0000000003380000-0x0000000003862000-memory.dmp	upx
behavioral2/memory/1124-28-0x0000000003380000-0x0000000003862000-memory.dmp	upx
behavioral2/memory/1124-29-0x0000000003380000-0x0000000003862000-memory.dmp	upx
behavioral2/memory/1124-36-0x0000000003380000-0x0000000003862000-memory.dmp	upx
behavioral2/memory/1124-43-0x0000000003380000-0x0000000003862000-memory.dmp	upx
behavioral2/memory/1124-54-0x0000000003380000-0x0000000003862000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9FF4686E-E007-4522-AA25-FCA8357B3BD9}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCViewer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCRectangle\CLSID\ = "{6184F60B-59F3-4562-BAED-308E757A3DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6184F60B-59F3-4562-BAED-308E757A3DA1}\ProgID\ = "VNCX.VNCRectangle.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCPoint\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{606B9267-8DEC-405A-A272-6CEDE419894F}\TypeLib\ = "{49633AB0-0296-4F1A-897F-19017A9AE174}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6184F60B-59F3-4562-BAED-308E757A3DA1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCRectangle.1\CLSID\ = "{6184F60B-59F3-4562-BAED-308E757A3DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9FF4686E-E007-4522-AA25-FCA8357B3BD9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F38C77DF-7615-4FF1-833F-5240FBCA0B6F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EA27E4A-21E3-4CC5-917C-BF2BDAF8A33A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFAB8D1F-794A-4C47-B834-53653E05A441}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCRectangle\CurVer\ = "VNCX.VNCRectangle.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCPoint.1\ = "VNCPoint Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49633AB0-0296-4F1A-897F-19017A9AE174}\1.0\0\win32\ = "C:\\Users\\vc.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EA27E4A-21E3-4CC5-917C-BF2BDAF8A33A}\ = "IVNCPoint"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EA27E4A-21E3-4CC5-917C-BF2BDAF8A33A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EA27E4A-21E3-4CC5-917C-BF2BDAF8A33A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3562542-79D3-4903-949F-D23E97F8DE4F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFAB8D1F-794A-4C47-B834-53653E05A441}\TypeLib\ = "{49633AB0-0296-4F1A-897F-19017A9AE174}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFAB8D1F-794A-4C47-B834-53653E05A441}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCPoint.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCPoint.1\CLSID\ = "{606B9267-8DEC-405A-A272-6CEDE419894F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49633AB0-0296-4F1A-897F-19017A9AE174}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49633AB0-0296-4F1A-897F-19017A9AE174}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9FF4686E-E007-4522-AA25-FCA8357B3BD9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCViewer\CLSID\ = "{EFAB8D1F-794A-4C47-B834-53653E05A441}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFAB8D1F-794A-4C47-B834-53653E05A441}\VersionIndependentProgID\ = "VNCX.VNCViewer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFAB8D1F-794A-4C47-B834-53653E05A441}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{606B9267-8DEC-405A-A272-6CEDE419894F}\VersionIndependentProgID\ = "VNCX.VNCPoint"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{606B9267-8DEC-405A-A272-6CEDE419894F}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EA27E4A-21E3-4CC5-917C-BF2BDAF8A33A}\TypeLib\ = "{49633AB0-0296-4F1A-897F-19017A9AE174}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F38C77DF-7615-4FF1-833F-5240FBCA0B6F}\TypeLib\ = "{49633AB0-0296-4F1A-897F-19017A9AE174}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFAB8D1F-794A-4C47-B834-53653E05A441}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFAB8D1F-794A-4C47-B834-53653E05A441}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6184F60B-59F3-4562-BAED-308E757A3DA1}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6184F60B-59F3-4562-BAED-308E757A3DA1}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{606B9267-8DEC-405A-A272-6CEDE419894F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{606B9267-8DEC-405A-A272-6CEDE419894F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3562542-79D3-4903-949F-D23E97F8DE4F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{606B9267-8DEC-405A-A272-6CEDE419894F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3562542-79D3-4903-949F-D23E97F8DE4F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFAB8D1F-794A-4C47-B834-53653E05A441}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFAB8D1F-794A-4C47-B834-53653E05A441}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F38C77DF-7615-4FF1-833F-5240FBCA0B6F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3562542-79D3-4903-949F-D23E97F8DE4F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F38C77DF-7615-4FF1-833F-5240FBCA0B6F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCViewer.1\ = "VNCViewer Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFAB8D1F-794A-4C47-B834-53653E05A441}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCPoint	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9FF4686E-E007-4522-AA25-FCA8357B3BD9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9FF4686E-E007-4522-AA25-FCA8357B3BD9}\TypeLib\ = "{49633AB0-0296-4F1A-897F-19017A9AE174}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFAB8D1F-794A-4C47-B834-53653E05A441}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCRectangle.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6184F60B-59F3-4562-BAED-308E757A3DA1}\TypeLib\ = "{49633AB0-0296-4F1A-897F-19017A9AE174}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F38C77DF-7615-4FF1-833F-5240FBCA0B6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCViewer.1\CLSID\ = "{EFAB8D1F-794A-4C47-B834-53653E05A441}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F38C77DF-7615-4FF1-833F-5240FBCA0B6F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F38C77DF-7615-4FF1-833F-5240FBCA0B6F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCViewer\ = "VNCViewer Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFAB8D1F-794A-4C47-B834-53653E05A441}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCRectangle	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNCX.VNCPoint\CurVer\ = "VNCX.VNCPoint.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EA27E4A-21E3-4CC5-917C-BF2BDAF8A33A}\TypeLib	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1124	0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1124	0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe
1124	0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe
1124	0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 4448	1124	0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe	87
PID 1124 wrote to memory of 4448	1124	0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe	87
PID 1124 wrote to memory of 4448	1124	0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe	87

C:\Users\Admin\AppData\Local\Temp\0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe
"C:\Users\Admin\AppData\Local\Temp\0e287ee7e4ccca224ba3bd7a0e296243d8a5fa353b6298694559a1c710ec700b.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Users\vc.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\mzcys.dll

Filesize
52KB

MD5
56e8cd39114bfc91e766fe46a26a8be6

SHA1
a5467361246b1603ecac91cc77d96dafd83f0b4f

SHA256
d1fb53537bfc78d27d8c72eaa69f986500bf8fcb829ca1d282d99ff2003dd9e6

SHA512
cc19c850a7c34ac073ee003d14dc6b2091171966578afdbe48db4c771c05a0f6c59d05435d8c7a76d90bd3d22994af13bafd4e23e8fb1707058fa30cbace2975

Download Submit
C:\Users\vc.dll

Filesize
272KB

MD5
65127dc97a50fbbe7d5d1a0cde533743

SHA1
3522b814d2978b0bedf18aa9e92f2e2e0118963e

SHA256
e4569a72dd210d150e2dccb0a9c835e06a34dc63d090b522b01171852512ba95

SHA512
8071e5f5719cce4afaebd284286e39f77e1c828f1738352a02557d6cc709d278444ba0ea56d07d804cea5833c92cbd7deb1a8c3fba00d360b63b06e838e03dd6

Download Submit
C:\Users\vc.dll

Filesize
272KB

MD5
65127dc97a50fbbe7d5d1a0cde533743

SHA1
3522b814d2978b0bedf18aa9e92f2e2e0118963e

SHA256
e4569a72dd210d150e2dccb0a9c835e06a34dc63d090b522b01171852512ba95

SHA512
8071e5f5719cce4afaebd284286e39f77e1c828f1738352a02557d6cc709d278444ba0ea56d07d804cea5833c92cbd7deb1a8c3fba00d360b63b06e838e03dd6

Download Submit
C:\Users\ys.tb

Filesize
3.6MB

MD5
8a72ed9b0a149d42a41500df97b52f91

SHA1
320faaf7dbc0a547e25cb774f260e6554b7abe0a

SHA256
2f3e291a5b41fae8a8a92a608440f922917258d9d3eec129dd9a2ad51ab1bbb0

SHA512
94b69e1cfece62fbc5cec603a089c4abc974bd5911727dc457bbad02716eb1bb412868072b3b2131d3d5e3a0415b779244797395b0975510eb2758d0dfc2feb9

Download Submit
C:\Users\ys.tb

Filesize
3.6MB

MD5
8a72ed9b0a149d42a41500df97b52f91

SHA1
320faaf7dbc0a547e25cb774f260e6554b7abe0a

SHA256
2f3e291a5b41fae8a8a92a608440f922917258d9d3eec129dd9a2ad51ab1bbb0

SHA512
94b69e1cfece62fbc5cec603a089c4abc974bd5911727dc457bbad02716eb1bb412868072b3b2131d3d5e3a0415b779244797395b0975510eb2758d0dfc2feb9

Download Submit
C:\Users\ys.tb

Filesize
3.6MB

MD5
8a72ed9b0a149d42a41500df97b52f91

SHA1
320faaf7dbc0a547e25cb774f260e6554b7abe0a

SHA256
2f3e291a5b41fae8a8a92a608440f922917258d9d3eec129dd9a2ad51ab1bbb0

SHA512
94b69e1cfece62fbc5cec603a089c4abc974bd5911727dc457bbad02716eb1bb412868072b3b2131d3d5e3a0415b779244797395b0975510eb2758d0dfc2feb9

Download Submit
memory/1124-22-0x0000000004150000-0x0000000004A4A000-memory.dmp

Filesize
9.0MB

Download
memory/1124-26-0x0000000003870000-0x0000000003871000-memory.dmp

Filesize
4KB

Download
memory/1124-12-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/1124-11-0x0000000077092000-0x0000000077093000-memory.dmp

Filesize
4KB

Download
memory/1124-19-0x0000000003380000-0x0000000003862000-memory.dmp

Filesize
4.9MB

Download
memory/1124-9-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/1124-20-0x0000000003380000-0x0000000003862000-memory.dmp

Filesize
4.9MB

Download
memory/1124-21-0x0000000003870000-0x000000000408B000-memory.dmp

Filesize
8.1MB

Download
memory/1124-10-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1124-24-0x0000000002D80000-0x0000000002D96000-memory.dmp

Filesize
88KB

Download
memory/1124-23-0x0000000002DA0000-0x0000000002DA2000-memory.dmp

Filesize
8KB

Download
memory/1124-13-0x0000000077093000-0x0000000077094000-memory.dmp

Filesize
4KB

Download
memory/1124-27-0x0000000003380000-0x0000000003862000-memory.dmp

Filesize
4.9MB

Download
memory/1124-28-0x0000000003380000-0x0000000003862000-memory.dmp

Filesize
4.9MB

Download
memory/1124-29-0x0000000003380000-0x0000000003862000-memory.dmp

Filesize
4.9MB

Download
memory/1124-30-0x0000000003870000-0x000000000408B000-memory.dmp

Filesize
8.1MB

Download
memory/1124-31-0x0000000004150000-0x0000000004A4A000-memory.dmp

Filesize
9.0MB

Download
memory/1124-32-0x0000000002DA0000-0x0000000002DA2000-memory.dmp

Filesize
8KB

Download
memory/1124-33-0x0000000002D80000-0x0000000002D96000-memory.dmp

Filesize
88KB

Download
memory/1124-36-0x0000000003380000-0x0000000003862000-memory.dmp

Filesize
4.9MB

Download
memory/1124-43-0x0000000003380000-0x0000000003862000-memory.dmp

Filesize
4.9MB

Download
memory/1124-54-0x0000000003380000-0x0000000003862000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads