f3d9f86ad6edd9e597c39fc1542b81b1297e98d80148ca6e448dd3bdd08bf8b6

Analysis

max time kernel
3s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4015be0e49c809a29e861b509467854f.exe
Size

4.3MB
MD5

4015be0e49c809a29e861b509467854f
SHA1

ae005b39667c0b51c329de64702e4852d0f89643
SHA256

f3d9f86ad6edd9e597c39fc1542b81b1297e98d80148ca6e448dd3bdd08bf8b6
SHA512

a3116d07109dfc5372b5c468ec2c8af2af0e5f77cb27d6c9a30acb611b371710df2426d8793bf98958a66ed9134ccca6f8be73f4b72adb77423ffc03767c8055
SSDEEP

98304:Mmb0qw6nTOV1Q3BmBNt2wAILYeVk6ja3frHG:Dbu6nKV1QcNkI8fDG

Score

10^/10

evasion trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	reg.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	reg.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023226-127.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 5 IoCs

pid	Process
2852	decomp.exe
2096	Bridge.exe
4868	Script.exe
1388	decomp.exe
4764	Attr.exe

Loads dropped DLL 1 IoCs

pid	Process
4172	regsvr32.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023223-21.dat	upx
behavioral2/memory/2852-24-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2852-30-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000600000002321b-50.dat	upx
behavioral2/memory/2096-59-0x00000000020F0000-0x0000000002100000-memory.dmp	upx
behavioral2/memory/2096-62-0x00000000020F0000-0x0000000002100000-memory.dmp	upx
behavioral2/memory/4868-76-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/files/0x0008000000023212-102.dat	upx
behavioral2/memory/1388-99-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000600000002321e-115.dat	upx
behavioral2/files/0x000600000002321d-114.dat	upx
behavioral2/memory/4764-118-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000023226-127.dat	upx
behavioral2/memory/2120-409-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Debugger\Script.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\svchost.exe	Attr.exe
File opened for modification	C:\Windows\SysWOW64\Script.bak	Bridge.exe
File created	C:\Windows\SysWOW64\Bridge.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Extractor.exe	Attr.exe
File opened for modification	C:\Windows\SysWOW64\Script.tmp	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Bridge.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Extractor.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Update.vbs	Script.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\aosmtp.dll	decomp.exe
File created	C:\Windows\SysWOW64\gizle.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\gizle.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\gizle.vbs	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\ScreenCapture.exe	4015be0e49c809a29e861b509467854f.exe
File created	C:\Windows\SysWOW64\decomp.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\decomp.exe	Attr.exe
File opened for modification	C:\Windows\SysWOW64\decomp.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\FirstUpdate.vbs	Script.exe
File opened for modification	C:\Windows\SysWOW64\Attr.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\kill_xp_firewall.bat	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\temp.bind	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\svchost.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\aosmtp.dll.mail	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\New.vbs	Script.exe
File created	C:\Windows\SysWOW64\Script.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Bridge.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Attr.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\decomp.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\aosmtp.dll.mail	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\aosmtp.dll	decomp.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\config.dat	4015be0e49c809a29e861b509467854f.exe
File created	C:\Windows\SysWOW64\aosmtp.dll.mail	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Script.exe	Attr.exe
File opened for modification	C:\Windows\SysWOW64\ScreenCapture.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\ScreenCapture.exe	Attr.exe
File created	C:\Windows\SysWOW64\ScreenCapture.bak	Bridge.exe
File created	C:\Windows\SysWOW64\Attr.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\	Attr.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Bridge.exe	Attr.exe
File created	C:\Windows\SysWOW64\Script.tmp	Bridge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\InprocServer32\ = "C:\\Windows\\SysWow64\\aosmtp.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\VersionIndependentProgID\ = "AOSMTP.FastSender"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}\ = "_IFastSenderEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender\ = "FastSender Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\ = "_IMailEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\ = "FastSender Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail.1\ = "Mail Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\ProgID\ = "AOSMTP.FastSender.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\ = "IMail"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender\CLSID\ = "{69620165-77DD-44EE-995C-3632E525A22B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\TypeLib\ = "{FF14B02B-6EE4-400F-A729-B0EA35F921C2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\ = "IFastSender"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail.1\CLSID\ = "{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\ = "AOSMTP COMPONENT BUILD V7.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\TypeLib\ = "{FF14B02B-6EE4-400F-A729-B0EA35F921C2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\ = "_IMailEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\ = "IMail"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail\ = "Mail Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\aosmtp.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\TypeLib\ = "{FF14B02B-6EE4-400F-A729-B0EA35F921C2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\ProxyStubClsid32	regsvr32.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4860	4015be0e49c809a29e861b509467854f.exe
2852	decomp.exe
2096	Bridge.exe
4868	Script.exe
1388	decomp.exe
4764	Attr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 2852	4860	4015be0e49c809a29e861b509467854f.exe	89
PID 4860 wrote to memory of 2852	4860	4015be0e49c809a29e861b509467854f.exe	89
PID 4860 wrote to memory of 2852	4860	4015be0e49c809a29e861b509467854f.exe	89
PID 4860 wrote to memory of 2096	4860	4015be0e49c809a29e861b509467854f.exe	90
PID 4860 wrote to memory of 2096	4860	4015be0e49c809a29e861b509467854f.exe	90
PID 4860 wrote to memory of 2096	4860	4015be0e49c809a29e861b509467854f.exe	90
PID 2096 wrote to memory of 4868	2096	Bridge.exe	91
PID 2096 wrote to memory of 4868	2096	Bridge.exe	91
PID 2096 wrote to memory of 4868	2096	Bridge.exe	91
PID 4868 wrote to memory of 2396	4868	Script.exe	92
PID 4868 wrote to memory of 2396	4868	Script.exe	92
PID 4868 wrote to memory of 2396	4868	Script.exe	92
PID 2096 wrote to memory of 1388	2096	Bridge.exe	93
PID 2096 wrote to memory of 1388	2096	Bridge.exe	93
PID 2096 wrote to memory of 1388	2096	Bridge.exe	93
PID 2096 wrote to memory of 4764	2096	Bridge.exe	94
PID 2096 wrote to memory of 4764	2096	Bridge.exe	94
PID 2096 wrote to memory of 4764	2096	Bridge.exe	94
PID 2096 wrote to memory of 4172	2096	Bridge.exe	95
PID 2096 wrote to memory of 4172	2096	Bridge.exe	95
PID 2096 wrote to memory of 4172	2096	Bridge.exe	95
PID 2396 wrote to memory of 4628	2396	wscript.exe	96
PID 2396 wrote to memory of 4628	2396	wscript.exe	96
PID 2396 wrote to memory of 4628	2396	wscript.exe	96
PID 4628 wrote to memory of 1016	4628	cmd.exe	98
PID 4628 wrote to memory of 1016	4628	cmd.exe	98
PID 4628 wrote to memory of 1016	4628	cmd.exe	98
PID 1016 wrote to memory of 4048	1016	net.exe	99
PID 1016 wrote to memory of 4048	1016	net.exe	99
PID 1016 wrote to memory of 4048	1016	net.exe	99
PID 4628 wrote to memory of 1280	4628	cmd.exe	100
PID 4628 wrote to memory of 1280	4628	cmd.exe	100
PID 4628 wrote to memory of 1280	4628	cmd.exe	100
PID 1280 wrote to memory of 4992	1280	net.exe	101
PID 1280 wrote to memory of 4992	1280	net.exe	101
PID 1280 wrote to memory of 4992	1280	net.exe	101
PID 4628 wrote to memory of 3980	4628	cmd.exe	102
PID 4628 wrote to memory of 3980	4628	cmd.exe	102
PID 4628 wrote to memory of 3980	4628	cmd.exe	102
PID 3980 wrote to memory of 2692	3980	net.exe	103
PID 3980 wrote to memory of 2692	3980	net.exe	103
PID 3980 wrote to memory of 2692	3980	net.exe	103
PID 4628 wrote to memory of 2424	4628	cmd.exe	104
PID 4628 wrote to memory of 2424	4628	cmd.exe	104
PID 4628 wrote to memory of 2424	4628	cmd.exe	104
PID 2424 wrote to memory of 432	2424	net.exe	105
PID 2424 wrote to memory of 432	2424	net.exe	105
PID 2424 wrote to memory of 432	2424	net.exe	105
PID 4628 wrote to memory of 1540	4628	cmd.exe	106
PID 4628 wrote to memory of 1540	4628	cmd.exe	106
PID 4628 wrote to memory of 1540	4628	cmd.exe	106
PID 4628 wrote to memory of 4460	4628	cmd.exe	107
PID 4628 wrote to memory of 4460	4628	cmd.exe	107
PID 4628 wrote to memory of 4460	4628	cmd.exe	107
PID 4628 wrote to memory of 1504	4628	cmd.exe	108
PID 4628 wrote to memory of 1504	4628	cmd.exe	108
PID 4628 wrote to memory of 1504	4628	cmd.exe	108
PID 4628 wrote to memory of 1764	4628	cmd.exe	109
PID 4628 wrote to memory of 1764	4628	cmd.exe	109
PID 4628 wrote to memory of 1764	4628	cmd.exe	109
PID 4628 wrote to memory of 2792	4628	cmd.exe	110
PID 4628 wrote to memory of 2792	4628	cmd.exe	110
PID 4628 wrote to memory of 2792	4628	cmd.exe	110
PID 4628 wrote to memory of 4408	4628	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\4015be0e49c809a29e861b509467854f.exe
"C:\Users\Admin\AppData\Local\Temp\4015be0e49c809a29e861b509467854f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\SysWOW64\decomp.exe
  "C:\Windows\System32\decomp.exe" aosmtp.dll
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2852
- C:\Windows\SysWOW64\Debugger\Bridge.exe
  C:\Windows\System32\Debugger\Bridge.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\Debugger\Script.exe
    C:\Windows\SysWOW64\Debugger\Script.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\SysWOW64\wscript.exe
      wscript.exe "C:\Windows\SysWOW64\Debugger\gizle.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\Debugger\kill_xp_firewall.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        7⤵
        
        PID:4048
      - C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        7⤵
        
        PID:4992
      - C:\Windows\SysWOW64\net.exe
        
        net stop MpsSvc
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        7⤵
        
        PID:2692
      - C:\Windows\SysWOW64\net.exe
        
        net stop wscsvc
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wscsvc
        7⤵
        
        PID:432
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Security Center" /v AntiVirusDisableNotify /t REG_DWORD /d 0x1 /f
        6⤵
        Windows security bypass
        
        PID:1540
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Security Center" /v FirewallDisableNotify /t REG_DWORD /d 0x1 /f
        6⤵
        Windows security bypass
        
        PID:4460
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Security Center" /v UpdatesDisableNotify /t REG_DWORD /d 0x1 /f
        6⤵
        Windows security bypass
        
        PID:1504
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Security Center" /v AntiVirusOverride /t REG_DWORD /d 0x1 /f
        6⤵
        Windows security bypass
        
        PID:1764
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Security Center" /v FirewallOverride /t REG_DWORD /d 0x1 /f
        6⤵
        Windows security bypass
        
        PID:2792
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        6⤵
        
        PID:4408
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        6⤵
        Modifies security service
        
        PID:3600
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        6⤵
        Modifies security service
        
        PID:3348
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscntfy" /v Start /t REG_DWORD /d 0x4 /f
        6⤵
        
        PID:1372
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v Start /t REG_DWORD /d 0x4 /f
        6⤵
        Modifies security service
        
        PID:4868
- - C:\Windows\SysWOW64\Debugger\decomp.exe
    "C:\Windows\SysWOW64\Debugger\decomp.exe" /all
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1388
- - C:\Windows\SysWOW64\Debugger\Attr.exe
    "C:\Windows\SysWOW64\Debugger\Attr.exe" doit
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:4764
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\aosmtp.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4172
- - C:\Users\Admin\AppData\Local\Temp\Fraps-VirtualDub_Full_Version!_www_wardom_org.exe
    "C:\Users\Admin\AppData\Local\Temp\Fraps-VirtualDub_Full_Version!_www_wardom_org.exe"
    3⤵
    PID:3132

C:\Windows\SysWOW64\Debugger\ScreenCapture.exe
"C:\Windows\SysWOW64\Debugger\ScreenCapture.exe" 1
1⤵
PID:2120

C:\Windows\SysWOW64\wscript.exe
wscript.exe C:\Windows\SysWOW64\Debugger\FirstUpdate.vbs
1⤵
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fraps-VirtualDub_Full_Version!_www_wardom_org.exe

Filesize
145KB

MD5
63c4362024249d63c2711c5d0ff01f69

SHA1
5145b9070f846c7c22cfbb4688c9c265ff8fbb85

SHA256
63e212bc681f4d8be423f7b44eb6245fc5aad99a2ba054bc275dc220105cccb8

SHA512
66e4cdeb82782079c001a24fbf1dac08795217b215fe243d6e1dca1de609135e5f526c44d90ea811e7f387bbb7e765552afec024fadcce346496197db963ca9b

Download Submit
C:\Windows\SysWOW64\Debugger\Attr.exe

Filesize
47KB

MD5
2e794f47e668a0492578c5f368a0d9fd

SHA1
813144c0472b65d3d0be7915e41af5e82a0392f9

SHA256
81f83a00b4c6e97221ba1af6878044cffba8ab42ab126e717d6018287e473a6d

SHA512
084bfdc16d4c3b2aab6027f2b1cf24bbcc1b95afd2355001b03edd6358be925760aed0e90333f90cc99e494c570951688208b6c845475bfea155b711f5771b7e

Download Submit
C:\Windows\SysWOW64\Debugger\Bridge.exe

Filesize
357KB

MD5
072dea68a8b4fe7c23e6d656a551abfe

SHA1
cb1769b6ecf7396a1ca74bc8da3f6adcef3ae85c

SHA256
f772ee4f00799150d0b13dd4361a6ca394f8f2c063a0150b32f0929749075632

SHA512
80c51178e8fca3aa08397ef5fb7ca4e69bd40327a4f922b2a0574dab48d86ba11ce89fcd4d48336846b6a28fbadfaa76d868dfabe83b35086ec75feda5343323

Download Submit
C:\Windows\SysWOW64\Debugger\Extractor.exe

Filesize
52KB

MD5
0b1ce68e91c9ceb7226be8a25d4e0e10

SHA1
353bf215141f01c77256449fae49b124b62aabbe

SHA256
80cfb3787b9beca186ba717bbb25912d0d1b5acb1516bd5792e89400d47a02fc

SHA512
ba06d8ab35ea271575c2eef973a6fb45d3a9efe8b395343f444499e3280a7b21a028aa9926f78710215e368c9d49841a2bb85e59129b9f7ae522d4bf845dc80e

Download Submit
C:\Windows\SysWOW64\Debugger\ScreenCapture.exe

Filesize
41KB

MD5
9440e2efdb570345f40440a694eb14c7

SHA1
ed51b0f0d402f73ecd67dd526261a8c038c0b2f0

SHA256
2509c65be9b478e23540e65db8c46989e02a26534c5f7d727bdd5461d42bb90b

SHA512
874ef724143f8d4702a464ee99362da0cb3b492f7df75f42f531a325b3104fde3a13c28d0d613ff00495c2581e3de183d2d03f68096ff510ff6bff8793fd01a7

Download Submit
C:\Windows\SysWOW64\Debugger\Script.exe

Filesize
32KB

MD5
127d5346c33df3bc7eec0e97779b4098

SHA1
3c000c9c18fbcaf1cb17072766c5cd91e2320137

SHA256
3bbeae8d3b3e1e51ccc0a2a2d763adccfc4b470af168c125191de2f52a5d35dc

SHA512
751112dd4e64ce2d561f7976af5b034c5df1725c5330b10f932559f69c8f6a7b806cd65d001d897b4f9fe29efa939fb3811819d7d79edf757520dd57945c077d

Download Submit
C:\Windows\SysWOW64\Debugger\config.dat

Filesize
466B

MD5
f3130450a126db253d485fa4d11aa3aa

SHA1
dd0d94f1230adac0e7ba5b72a2d6f8537ae85109

SHA256
d9b2a5e88e4720837091c78ed7800067a4f734381c9ad8725857646e4b2b259a

SHA512
2660e934be4db474d3da710a79c67e5875ad6abddceac438b0139bc011ccd28d71e18d0045e5caaa34f43c582ad5ffe2a35d86d158df21016e9d4c35bddffece

Download Submit
C:\Windows\SysWOW64\Debugger\gizle.vbs

Filesize
186B

MD5
409f6c9929ff65bff4e518ddf2aaae2d

SHA1
b9433a61a120a5c4ad9cdfdd7b7342934fda89f0

SHA256
82203d31b6b9f6c650ec1d9fcedc076cd373a5e451b995d3c6185586ca4b61c8

SHA512
a2c72727c5e2430d42dfcb3c982a221d837efb0014adf35aeb0c93edc7b8d03c11a20837809b2d36c8d2aa1e0faac8bec762b8cd5abc912c3152b14fc467b066

Download Submit
C:\Windows\SysWOW64\Debugger\kill_xp_firewall.bat

Filesize
1KB

MD5
8b84197072de5daed7e0b6d749752ff3

SHA1
1a09167829201ebeb1f2e19ba2e1176b9dd6579d

SHA256
bfff40cb8d72beedf40a5271c5406a21c9517fa5313854446e2015d505cca4d8

SHA512
4fd4410bfe5311a6721f7409a01c06eaea3401a28b948dfad0e7d4d39fa895e5d84281c736007113c5b4503eabc42f31ed1f360076c05ad6c305440e6d67f561

Download Submit
C:\Windows\SysWOW64\Debugger\svchost.exe

Filesize
25KB

MD5
b2fa45c6280eed45f9da48667216fa12

SHA1
b1f3d5f9fd5a50918f00798d97a3a415a481e07e

SHA256
bfb3abf7bf33bb3416570bd749d10e02e3853eef5ee8b24423465c408f3255d8

SHA512
757eb1e5f666900398e3b12c565f3ac58c7f71634d9930612d832ef251e1c766160ff218b4c74d803b23cbb3a2ba064ed799aa5a966449bd09c07ecdc93c1279

Download Submit
C:\Windows\SysWOW64\Debugger\temp.bind

Filesize
1024KB

MD5
b92153a5a9447ef9fac0368a8d0371e2

SHA1
684bce2dbe4ff8b965e9b6bfd323f48ed3ee1c00

SHA256
af3256c3d9d1a327362ed5ad60652635a9f356c2c5257ae23af6fc040da03556

SHA512
276ff5f2193a59b6c1362d8eacfb7bbed2f81628fc13617399fe9385b73007122fa65df4d6c86b2bf66e0f3c5de814578319a078b790304a2e325a80b2adc530

Download Submit
C:\Windows\SysWOW64\aosmtp.dll

Filesize
125KB

MD5
2a20be5ec0a58b3a17900f336fdfa200

SHA1
caa8aa4367ead62a0aacc75de25e05bf162311a9

SHA256
52b3af25756ce8db7113d25a54a16d41c854e15c8a892b1f230aa1b5724ce5f7

SHA512
6bc1bd033f5cca09237aa19de0de5ac829529b6d83571bdbd46f851365f34ea2287bd3c52eb48e4fc3db0f777336c549f72de74c7b0ae9a4613579401e91ae60

Download Submit
C:\Windows\SysWOW64\aosmtp.dll.mail

Filesize
127KB

MD5
d575cf885392f325c0b1ab4633528f99

SHA1
2ea3b7949b92137830c2fe6adca6ffc9872e7634

SHA256
326652b5ef8c9abfb21185a32ad274c8070cea2b51ae32950fdf9e045501b990

SHA512
a3b3483d740f61cbd061a56e14471ef693e3b739c1ef77dbae882c6f8969976a11f7207b819e6bb25deb736ff5fc26f3cc4cbb294fae2463e2fcfe2d336c74bd

Download Submit
C:\Windows\SysWOW64\decomp.exe

Filesize
11KB

MD5
cdc7c8e80873bce728ce0d260a7d7ab5

SHA1
5c53b22475f69ae84acbffb25bb9fd3a6fcca56d

SHA256
e8d8e908adc80411e9c9b9bfb27fb1c44de8550e34f7943ce70efb2f565dc5c6

SHA512
102a3cfa80637a44b8322244a67503100915c83d27727e1616d890ed2cfc3d1c4f1c7973e817acad810e0fcf4e4f6f7ea16a85a8441752258f2e73360e232542

Download Submit
memory/1388-99-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2096-79-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/2096-94-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/2096-47-0x0000000003A50000-0x0000000003A51000-memory.dmp

Filesize
4KB

Download
memory/2096-52-0x0000000003A90000-0x0000000003A91000-memory.dmp

Filesize
4KB

Download
memory/2096-54-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/2096-44-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2096-55-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/2096-57-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/2096-58-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/2096-59-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/2096-46-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2096-60-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/2096-62-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/2096-63-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/2096-65-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

Filesize
4KB

Download
memory/2096-64-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/2096-66-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2096-70-0x0000000003A60000-0x0000000003A61000-memory.dmp

Filesize
4KB

Download
memory/2096-67-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2096-72-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/2096-45-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/2096-73-0x0000000003AD0000-0x0000000003AD1000-memory.dmp

Filesize
4KB

Download
memory/2096-129-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/2096-80-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/2096-81-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/2096-43-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/2096-84-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/2096-82-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/2096-85-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/2096-86-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/2096-88-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/2096-89-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/2096-93-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/2096-49-0x0000000003A40000-0x0000000003A45000-memory.dmp

Filesize
20KB

Download
memory/2096-95-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2096-92-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/2096-96-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/2096-97-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/2096-42-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2096-41-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/2096-103-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/2096-101-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/2096-104-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/2096-105-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/2096-107-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/2096-40-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/2096-108-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/2096-39-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2096-37-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/2096-35-0x0000000001FE0000-0x0000000002034000-memory.dmp

Filesize
336KB

Download
memory/2096-111-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/2096-117-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/2096-116-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/2096-112-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/2096-126-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/2096-120-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/2096-121-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/2096-122-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/2096-119-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/2096-123-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/2096-124-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/2096-33-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2096-128-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/2120-409-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2852-30-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2852-24-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4764-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4868-76-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads