f005d0a23dcd8455a71971c3824ff0596e3c40f7cf7012c6829118f7d3f346d1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-01-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

682db5558ce11329c208eb7e0632e63e.exe
Size

824KB
MD5

682db5558ce11329c208eb7e0632e63e
SHA1

233b5cfec545e43d49ed558f4af95ca89c019850
SHA256

f005d0a23dcd8455a71971c3824ff0596e3c40f7cf7012c6829118f7d3f346d1
SHA512

e24146bc51a060e521941bf15e892c0bce60fe0754b8f87630af3a60d0a9e13e2583d286653f890b8616c967bcadc566601dfeb517d8387cfa333c027e39b5e6
SSDEEP

12288:qai/oGGwH/BTqATt9IGeIm0JFg7qFhZjGgxGwPUD0INtcs9w7Jza+esTCmOQ/0:di/oMHZ1fm0s0agxGwfINyz7pL2mvM

Score

7^/10

aspackv2 bootkit persistence

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000015d4f-179.dat	aspack_v212_v242
behavioral1/files/0x0006000000015d17-173.dat	aspack_v212_v242
behavioral1/files/0x000e00000001224d-146.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
1400	f259394500.exe
1452	atnppn.exe

Loads dropped DLL 7 IoCs

pid	Process
1960	682db5558ce11329c208eb7e0632e63e.exe
1960	682db5558ce11329c208eb7e0632e63e.exe
1400	f259394500.exe
2196	regsvr32.exe
1400	f259394500.exe
1400	f259394500.exe
1452	atnppn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winsync = "C:\\Windows\\system32\\atnppn.exe reg_run"	f259394500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winsync = "C:\\Windows\\system32\\atnppn.exe reg_run"	atnppn.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	682db5558ce11329c208eb7e0632e63e.exe
File opened for modification	\??\PhysicalDrive0	f259394500.exe
File opened for modification	\??\PhysicalDrive0	regsvr32.exe
File opened for modification	\??\PhysicalDrive0	atnppn.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wuauclt.dll	682db5558ce11329c208eb7e0632e63e.exe
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\ickrrkx.dll	atnppn.exe
File created	C:\Windows\SysWOW64\ickrrkx.dll	f259394500.exe
File created	C:\Windows\SysWOW64\bacnncx.exe	f259394500.exe
File opened for modification	C:\Windows\SysWOW64\fmgee.dll	atnppn.exe
File created	C:\Windows\SysWOW64\vgactl.cpl	682db5558ce11329c208eb7e0632e63e.exe
File created	C:\Windows\SysWOW64\puqaa.dat	f259394500.exe
File created	C:\Windows\SysWOW64\atnppn.exe	f259394500.exe
File opened for modification	C:\Windows\SysWOW64\atnppn.exe	f259394500.exe
File created	C:\Windows\SysWOW64\fmgee.dll	f259394500.exe
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	atnppn.exe
File created	C:\Windows\SysWOW64\atnppn.exe	atnppn.exe
File created	C:\Windows\SysWOW64\puqaa.dat	atnppn.exe
File opened for modification	C:\Windows\SysWOW64\bacnncx.exe	atnppn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\vcboob.dat	682db5558ce11329c208eb7e0632e63e.exe
File created	C:\Windows\rpenn.dll	f259394500.exe
File opened for modification	C:\Windows\rpenn.dll	f259394500.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	682db5558ce11329c208eb7e0632e63e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	682db5558ce11329c208eb7e0632e63e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	682db5558ce11329c208eb7e0632e63e.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f259394500.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	atnppn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	atnppn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	682db5558ce11329c208eb7e0632e63e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	f259394500.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f259394500.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	f259394500.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	atnppn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	atnppn.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\CLSID = "{6EC11407-5B2E-4E25-8BDF-77445B52AB37}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\MenuText = "Java"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}	regsvr32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "{6EC11407-5B2E-4E25-8BDF-77445B52AB37}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3b0ffd35-11b5-432f-bbf8-29ae347b0a0b}\InProcServer32\ThreadingModel = "Apartment"	f259394500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3c4004e-c9f1-43a9-9b05-8ea60f29cf32}\InProcServer32	atnppn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3c4004e-c9f1-43a9-9b05-8ea60f29cf32}\ProgId\ = "exreerfj.class"	atnppn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3b0ffd35-11b5-432f-bbf8-29ae347b0a0b}\ = "exreerfj.class"	f259394500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3b0ffd35-11b5-432f-bbf8-29ae347b0a0b}\InProcServer32\ = "C:\\Windows\\SysWow64\\fmgee.dll"	f259394500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3c4004e-c9f1-43a9-9b05-8ea60f29cf32}	atnppn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3c4004e-c9f1-43a9-9b05-8ea60f29cf32}\InProcServer32\ = "C:\\Windows\\SysWow64\\fmgee.dll"	atnppn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\fygnngsk\ = "{a3c4004e-c9f1-43a9-9b05-8ea60f29cf32}"	atnppn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ = "C:\\Windows\\SysWow64\\wuauclt.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\fygnngsk\ = "{3b0ffd35-11b5-432f-bbf8-29ae347b0a0b}"	f259394500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\fygnngsk	f259394500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3b0ffd35-11b5-432f-bbf8-29ae347b0a0b}\ProgId	f259394500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\fygnngsk	atnppn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3c4004e-c9f1-43a9-9b05-8ea60f29cf32}\ = "exreerfj.class"	atnppn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3b0ffd35-11b5-432f-bbf8-29ae347b0a0b}\InProcServer32	f259394500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3b0ffd35-11b5-432f-bbf8-29ae347b0a0b}\ProgId\ = "exreerfj.class"	f259394500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3c4004e-c9f1-43a9-9b05-8ea60f29cf32}\ProgId	atnppn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3b0ffd35-11b5-432f-bbf8-29ae347b0a0b}	f259394500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "Columns class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId\ = "Columns class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3c4004e-c9f1-43a9-9b05-8ea60f29cf32}\InProcServer32\ThreadingModel = "Apartment"	atnppn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2196	1960	682db5558ce11329c208eb7e0632e63e.exe	28
PID 1960 wrote to memory of 2196	1960	682db5558ce11329c208eb7e0632e63e.exe	28
PID 1960 wrote to memory of 2196	1960	682db5558ce11329c208eb7e0632e63e.exe	28
PID 1960 wrote to memory of 2196	1960	682db5558ce11329c208eb7e0632e63e.exe	28
PID 1960 wrote to memory of 2196	1960	682db5558ce11329c208eb7e0632e63e.exe	28
PID 1960 wrote to memory of 2196	1960	682db5558ce11329c208eb7e0632e63e.exe	28
PID 1960 wrote to memory of 2196	1960	682db5558ce11329c208eb7e0632e63e.exe	28
PID 1960 wrote to memory of 1400	1960	682db5558ce11329c208eb7e0632e63e.exe	30
PID 1960 wrote to memory of 1400	1960	682db5558ce11329c208eb7e0632e63e.exe	30
PID 1960 wrote to memory of 1400	1960	682db5558ce11329c208eb7e0632e63e.exe	30
PID 1960 wrote to memory of 1400	1960	682db5558ce11329c208eb7e0632e63e.exe	30
PID 1400 wrote to memory of 1452	1400	f259394500.exe	29
PID 1400 wrote to memory of 1452	1400	f259394500.exe	29
PID 1400 wrote to memory of 1452	1400	f259394500.exe	29
PID 1400 wrote to memory of 1452	1400	f259394500.exe	29

C:\Users\Admin\AppData\Local\Temp\682db5558ce11329c208eb7e0632e63e.exe
"C:\Users\Admin\AppData\Local\Temp\682db5558ce11329c208eb7e0632e63e.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\wuauclt.dll
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\f259394500.exe
  "C:\Users\Admin\AppData\Local\Temp\f259394500.exe" first_run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1400

C:\Windows\SysWOW64\atnppn.exe
first_run
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f259394500.exe

Filesize
458KB

MD5
a45be0d070560ede89a8fe489ff23c75

SHA1
a306186ff34f3381b8b79ec05dd382a5ae71297a

SHA256
9e640592b917e6aa0108cb050fc2c30ae420f44c9abb333c58a301e60ba6309e

SHA512
1b1eae5fcfb18c951032b9ba74e5ffe8b2f2c4de203c6c7110453731793f3a4b6f94dc4eb9ed6a29b842de49493000c373e1b9ac631901087f6054e47df261e3

Download Submit
C:\Windows\SysWOW64\bacnncx.exe

Filesize
163KB

MD5
eabbb6f57dac51f65b7fa7ad44dc0c85

SHA1
70b89bb6eda284e71271f35497f0309cde69fea7

SHA256
7907745f5df59442b6a80ceb8dfbcbf139c41580e5cfad5969c92090b0e711fa

SHA512
fb57dad1ca7957ff11bd915e66035380daf0ab2c78c41592bc0c5b6f326b138940737279e04248497fc58972a805fd5d7583a917f59dfc40b84e3cd2f093ecd3

Download Submit
C:\Windows\SysWOW64\ickrrkx.dll

Filesize
176KB

MD5
e1900e1e64c730073c74c7bd72ef8f3e

SHA1
f2a2faf02d532bf9f2c209d349c580f4525ad19a

SHA256
b792a3a2b46072f6c0ef11cc0e0b4366af25a4a43e5a94476b6e387e765a1e25

SHA512
9256d304e6cfb52a070276d026eb86eec713fa6054092e9d977a5b734f240cc8d767f7f1117347fe4c50f516736339e34839d7614fd603eef4d4a797e1cd0722

Download Submit
C:\Windows\rpenn.dll

Filesize
32B

MD5
0ab99d33e5427a4c40a7f72fc6a46630

SHA1
9ddb58311426e66f7d3da6372bc5b8e2e3781166

SHA256
d59bebb20d90df108b366eda743cb8a54ba07c545e447a6b8c5f061e91ae8529

SHA512
37a15e91a07f05e76b61e4bda8c3e9bc4dfacb7d6a42e30b5d1310d03f5279c9c0fd301b8e7715ed5a1fa72e6c20b12ab8c4c235a6077b188736ac60650ea5b1

Download Submit
\Windows\SysWOW64\fmgee.dll

Filesize
130KB

MD5
78d4c669c1f3268b6cfc493e08df9d20

SHA1
bc54b50630a72c86d503f435459112cac1aa9989

SHA256
484e60c78e02266e8857f95511c3f2b2a7714020051b615fc5c8e6c6b1a4c5b7

SHA512
5a6b2904648337b6d32cc42f6aa45733c39f0a3590a2fb8547fc02f367fc882c046ade108e159c07d3f484e37118d4894972b1edf99546ce898f762355712a34

Download Submit
\Windows\SysWOW64\wuauclt.dll

Filesize
156KB

MD5
6451095f639ab38909988e41432f1a43

SHA1
0d5839203d8b31bb23ab5746019ea45b5545da2c

SHA256
34ce0665cbd0125173995e8051ee5a62dbadeeb6041a1da1b74811db0a41311e

SHA512
cc008c301865028adee899f80223491dd2439bcb812cc66869d1c28d1cb75427c93b3248e2718ab4abef9b5d5895e33cb4f4f3fa24cd302760055dcee4fef7e2

Download Submit
memory/1400-164-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1452-182-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1960-39-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1960-54-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1960-61-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1960-63-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1960-64-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1960-35-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1960-60-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1960-59-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1960-58-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1960-57-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1960-56-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1960-186-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1960-55-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1960-34-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1960-53-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1960-52-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1960-51-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1960-50-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1960-49-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1960-48-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1960-47-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1960-46-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1960-45-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1960-44-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1960-43-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1960-33-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1960-41-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1960-40-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1960-0-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1960-38-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1960-37-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1960-36-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1960-1-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1960-62-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1960-42-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1960-32-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1960-31-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1960-30-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1960-29-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1960-28-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1960-27-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/1960-26-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/1960-24-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1960-23-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/1960-22-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/1960-21-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/1960-20-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/1960-19-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/1960-18-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1960-17-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/1960-16-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/1960-15-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/1960-14-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1960-13-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/1960-12-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1960-11-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1960-10-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1960-9-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1960-8-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/1960-7-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/1960-6-0x0000000000530000-0x0000000000532000-memory.dmp

Filesize
8KB

Download
memory/1960-5-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1960-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1960-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1960-2-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads