70971148ed1fadb17a1de707b03b0b61bcf9d523c540b9bf4e411b5bb0dda5f0

Analysis

max time kernel
43s
max time network
16s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Covid21 2.0.exe
Size

1.2MB
MD5

a7c7f5e792809db8653a75c958f82bc4
SHA1

7ebe75db24af98efdcfebd970e7eea4b029f9f81
SHA256

02fea9970500d498e602b22cea68ade9869aca40a5cdc79cf1798644ba2057ca
SHA512

feb42cc7b4f344c043bda8bebeefa8cbb68406d1e937dcdc5a403981f79587fa438c682c4744a47a77482fc049b0334806d468aeb67edd4a92d90b5acd0c16ae
SSDEEP

24576:kweQ5x+HPXJ9N2qifMpZcu/6z6toe20xYuLFzY77+89J9o2:kwVeHhH2qoMIum62uhY7Kco2

Score

8^/10

aspackv2 evasion persistence ransomware upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral7/files/0x0006000000016d9f-217.dat	aspack_v212_v242

Executes dropped EXE 8 IoCs

pid	Process
2528	CLWCP.exe
2324	Corona.exe
1760	inv.exe
2024	z.exe
988	mlt.exe
2744	icons.exe
1088	screenscrew.exe
2144	PayloadMBR.exe

Loads dropped DLL 16 IoCs

pid	Process
2660	cmd.exe
2660	cmd.exe
2476	cmd.exe
2476	cmd.exe
2660	cmd.exe
2660	cmd.exe
2660	cmd.exe
2660	cmd.exe
2660	cmd.exe
2660	cmd.exe
2660	cmd.exe
2660	cmd.exe
2660	cmd.exe
2660	cmd.exe
2660	cmd.exe
2660	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral7/memory/2268-0-0x0000000000400000-0x00000000006CF000-memory.dmp	upx
behavioral7/memory/2268-97-0x0000000000400000-0x00000000006CF000-memory.dmp	upx
behavioral7/memory/2268-282-0x0000000000400000-0x00000000006CF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F1E.tmp\\PayloadMBR.exe"	PayloadMBR.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\clwcp.bmp"	CLWCP.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\clwcp.bmp	CLWCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2468	schtasks.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
2696	timeout.exe
844	timeout.exe
2768	timeout.exe
2156	timeout.exe
1344	timeout.exe
1592	timeout.exe
2912	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2420	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2436	reg.exe
2488	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2660	2268	Covid21 2.0.exe	28
PID 2268 wrote to memory of 2660	2268	Covid21 2.0.exe	28
PID 2268 wrote to memory of 2660	2268	Covid21 2.0.exe	28
PID 2268 wrote to memory of 2660	2268	Covid21 2.0.exe	28
PID 2660 wrote to memory of 2360	2660	cmd.exe	30
PID 2660 wrote to memory of 2360	2660	cmd.exe	30
PID 2660 wrote to memory of 2360	2660	cmd.exe	30
PID 2660 wrote to memory of 2360	2660	cmd.exe	30
PID 2660 wrote to memory of 2436	2660	cmd.exe	31
PID 2660 wrote to memory of 2436	2660	cmd.exe	31
PID 2660 wrote to memory of 2436	2660	cmd.exe	31
PID 2660 wrote to memory of 2436	2660	cmd.exe	31
PID 2660 wrote to memory of 2144	2660	cmd.exe	32
PID 2660 wrote to memory of 2144	2660	cmd.exe	32
PID 2660 wrote to memory of 2144	2660	cmd.exe	32
PID 2660 wrote to memory of 2144	2660	cmd.exe	32
PID 2660 wrote to memory of 2528	2660	cmd.exe	33
PID 2660 wrote to memory of 2528	2660	cmd.exe	33
PID 2660 wrote to memory of 2528	2660	cmd.exe	33
PID 2660 wrote to memory of 2528	2660	cmd.exe	33
PID 2660 wrote to memory of 2488	2660	cmd.exe	34
PID 2660 wrote to memory of 2488	2660	cmd.exe	34
PID 2660 wrote to memory of 2488	2660	cmd.exe	34
PID 2660 wrote to memory of 2488	2660	cmd.exe	34
PID 2660 wrote to memory of 1648	2660	cmd.exe	35
PID 2660 wrote to memory of 1648	2660	cmd.exe	35
PID 2660 wrote to memory of 1648	2660	cmd.exe	35
PID 2660 wrote to memory of 1648	2660	cmd.exe	35
PID 2660 wrote to memory of 2476	2660	cmd.exe	36
PID 2660 wrote to memory of 2476	2660	cmd.exe	36
PID 2660 wrote to memory of 2476	2660	cmd.exe	36
PID 2660 wrote to memory of 2476	2660	cmd.exe	36
PID 2660 wrote to memory of 2696	2660	cmd.exe	38
PID 2660 wrote to memory of 2696	2660	cmd.exe	38
PID 2660 wrote to memory of 2696	2660	cmd.exe	38
PID 2660 wrote to memory of 2696	2660	cmd.exe	38
PID 2476 wrote to memory of 2324	2476	cmd.exe	39
PID 2476 wrote to memory of 2324	2476	cmd.exe	39
PID 2476 wrote to memory of 2324	2476	cmd.exe	39
PID 2476 wrote to memory of 2324	2476	cmd.exe	39
PID 2660 wrote to memory of 1760	2660	cmd.exe	40
PID 2660 wrote to memory of 1760	2660	cmd.exe	40
PID 2660 wrote to memory of 1760	2660	cmd.exe	40
PID 2660 wrote to memory of 1760	2660	cmd.exe	40
PID 2660 wrote to memory of 1340	2660	cmd.exe	41
PID 2660 wrote to memory of 1340	2660	cmd.exe	41
PID 2660 wrote to memory of 1340	2660	cmd.exe	41
PID 2660 wrote to memory of 1340	2660	cmd.exe	41
PID 2660 wrote to memory of 844	2660	cmd.exe	42
PID 2660 wrote to memory of 844	2660	cmd.exe	42
PID 2660 wrote to memory of 844	2660	cmd.exe	42
PID 2660 wrote to memory of 844	2660	cmd.exe	42
PID 2660 wrote to memory of 2024	2660	cmd.exe	43
PID 2660 wrote to memory of 2024	2660	cmd.exe	43
PID 2660 wrote to memory of 2024	2660	cmd.exe	43
PID 2660 wrote to memory of 2024	2660	cmd.exe	43
PID 2660 wrote to memory of 2668	2660	cmd.exe	44
PID 2660 wrote to memory of 2668	2660	cmd.exe	44
PID 2660 wrote to memory of 2668	2660	cmd.exe	44
PID 2660 wrote to memory of 2668	2660	cmd.exe	44
PID 2660 wrote to memory of 2768	2660	cmd.exe	45
PID 2660 wrote to memory of 2768	2660	cmd.exe	45
PID 2660 wrote to memory of 2768	2660	cmd.exe	45
PID 2660 wrote to memory of 2768	2660	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\Covid21 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\Covid21 2.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\F1E.tmp\Covid21.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\cscript.exe
    cscript prompt.vbs
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2436
- - C:\Windows\SysWOW64\reg.exe
    Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2144
- - C:\Users\Admin\AppData\Local\Temp\F1E.tmp\CLWCP.exe
    clwcp c:\covid21\covid.jpg
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Drops file in Windows directory
    PID:2528
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2488
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\F1E.tmp\x.vbs"
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K coronaloop.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - \??\c:\covid21\Corona.exe
      c:\covid21\corona.exe
      4⤵
      Executes dropped EXE
      PID:2324
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2696
- - C:\Users\Admin\AppData\Local\Temp\F1E.tmp\inv.exe
    inv.exe
    3⤵
    - Executes dropped EXE
    PID:1760
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\F1E.tmp\y.vbs"
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:844
- - C:\Users\Admin\AppData\Local\Temp\F1E.tmp\z.exe
    z.exe
    3⤵
    - Executes dropped EXE
    PID:2024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\F1E.tmp\y.vbs"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2768
- - C:\Users\Admin\AppData\Local\Temp\F1E.tmp\mlt.exe
    mlt.exe
    3⤵
    - Executes dropped EXE
    PID:988
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\F1E.tmp\y.vbs"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2156
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\F1E.tmp\y.vbs"
    3⤵
    PID:1104
- - C:\Users\Admin\AppData\Local\Temp\F1E.tmp\icons.exe
    icons.exe
    3⤵
    - Executes dropped EXE
    PID:2744
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1344
- - C:\Users\Admin\AppData\Local\Temp\F1E.tmp\screenscrew.exe
    screenscrew.exe
    3⤵
    - Executes dropped EXE
    PID:1088
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\F1E.tmp\y.vbs"
    3⤵
    PID:876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1592
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\F1E.tmp\t.vbs"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Users\Admin\AppData\Local\Temp\F1E.tmp\PayloadMBR.exe
    PayloadMBR.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2144
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\F1E.tmp\PayloadMBR.exe"
      4⤵
      Creates scheduled task(s)
      PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F1E.tmp\Corona.exe

Filesize
519KB

MD5
6374ca8ad59246dfed4794fd788d6560

SHA1
d54281430ad11272f657de4e909b4ba7b8561821

SHA256
25b6f4abc0b8a7a3f3cae54a2f75810b977c0f5ed20af98e77be9449e7135108

SHA512
0434f5c6ecd1a036a59e2f5de56f0905460d46c31fff6a7f160f54cfbcb56ea2da22647d564e53d66c47a789a67d165c59e64d924b0f2cf80fdcd865847a772f

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1E.tmp\Covid21.bat

Filesize
1KB

MD5
6b89a7fd6e3d9bdc4658162aaf468558

SHA1
f8ef11b2420b95661565b799d86c188bf11bf4a7

SHA256
76986cddbfeb8fa8738c8ca2665a7f91d19d1e8c6851151fcba5164e35618dfb

SHA512
f9b3338b65d5ca6cc25b1c36b2c3299d758d5e7ac92e6fd8d0298f945e898c51e548323f86a12983bb375e49404cb6b401f5472bbb580a6675df57277045ef12

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1E.tmp\coronaloop.bat

Filesize
48B

MD5
08437e731c7b135b3779b004c7863e5f

SHA1
24ce5d4075fdc5afec6cb87cacfc7b54deadc3ec

SHA256
043b49fbbe070997844a2c4467596553261bfb6ea79ac3c50fabd42146eea924

SHA512
6006014b10f400b6975b391be64e07e78fe5a3818cd39a0a8f9349c4cff595134fb5217beb5205e04eab86473c4fa0f6701b657d76c144540aa468d2d382c8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1E.tmp\covid.jpg

Filesize
166KB

MD5
94ad752abc09644d0b91a07022ecb000

SHA1
7ee97dc56e62e7b2d86ee892e7cf70673252242f

SHA256
e3760c671cec108580d47b0f8c11ae79e9df9941d2e878032eeda1b510f91231

SHA512
9c0109a8e7de5ea42b3ce8788a412f6ed1158afd3db87884034631da15ec4c16275f0578c6ad438e91dc203c89aef725d2642e06b751df5cff0d47b3d9a1ad1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1E.tmp\icons.exe

Filesize
105KB

MD5
3ca1d5768c2944d4284b1541653823c7

SHA1
85cf021ac23cd1340c6d649e6a77a213c1f848b6

SHA256
4172c6120f8f98685698365d6dd52c80eb2080203cdde479009bf8f4fa770af0

SHA512
7972adb329dbebc347b8a68789bbac4ba7c230cc980910d18a322d1a512015633d2a5801e76c0aae2fcfe120790c69417864549787dfc37574fb0aa3bfc202f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1E.tmp\prompt.vbs

Filesize
188B

MD5
82c0a5e92259ff193b914e6c0d7c8a7a

SHA1
ed6868eff7055555689e613a62f4275eafa97c36

SHA256
02e3663bb7bc9f8fe4377887dc24e63fc83187be9cb0181f87e5f93af4c7ca8b

SHA512
43c1ef453531200dd625945a65727daef28ee480fb210e97846633841f8215261e3195a8be77c280e8b6fe193b59c7367302c3fc74879b5952fa31f3235ddb62

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1E.tmp\t.vbs

Filesize
60B

MD5
ee0306a79aaefbd4cf3bc7e5f8a0d3b1

SHA1
32dae2cfb0af831f0e8445f36c0d2ce0fe9b2e88

SHA256
969ae83f1366975bece266c3be5994291c55302e93564a1435fe542b456904ec

SHA512
fdfab128f4f096f4b4dd31758116522337644f269cb28e1496e20d866083bf31d277a123704e8924a0fc4ef0212cba89e3ab9fddcaffcf400c859c8df87736fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1E.tmp\x.vbs

Filesize
79B

MD5
7740551865a57633b3e92986352dfa1b

SHA1
74070b3636b69b710c32996fc1640129202f4caf

SHA256
8a36ecc37eb454fe13b4b31eb9eda67919aa5dd3a474480930982ef93334499a

SHA512
b4c5902f3ca91fa83ec0297254acf5f63b2145500863afb86f96b9c2d3844c8c476cd0f6dd31e3eb92c4aca2cd35c2f6be563549817b676fa9b4592f280c79f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1E.tmp\y.vbs

Filesize
24B

MD5
5ecb02eaaa322be4df7f61a1a23c799d

SHA1
bec83a2546f38a7133ef962d09cd520f87e5abb2

SHA256
d78710d080d6200bff04d443f8fa923f619914fb191dc2b3865da1f3d9739e30

SHA512
2306f4fc08e0aefe4a44c4507e46ee2d3d808423ec8d31980980f785e20c0df301a9b3d9a2469d609e054d5a8ac4089ac39ffb388b70ed8a36f688b4362a2f88

Download Submit
\Users\Admin\AppData\Local\Temp\F1E.tmp\CLWCP.exe

Filesize
505KB

MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
\Users\Admin\AppData\Local\Temp\F1E.tmp\PayloadMBR.exe

Filesize
101KB

MD5
d917af256a1d20b4eac477cdb189367b

SHA1
6c2fa4648b16b89c4f5664f1c3490ec2022eb5dd

SHA256
e40f57f6693f4b817beb50de68027aabbb0376ca94a774f86e3833baf93dc4c0

SHA512
fd2cb0fb398a5ddd0a52cf2efc733c606884aa68ec406bdbddb3a41b31d6f9c0f0c4837326a9d53b53202792867901899a8cf5024a5e542e8bdcee615be0b707

Download Submit
\Users\Admin\AppData\Local\Temp\F1E.tmp\inv.exe

Filesize
359KB

MD5
ebb811d0396c06a70fe74d9b23679446

SHA1
e375f124a8284479dd052161a07f57de28397638

SHA256
28e979002cb4db546bf9d9d58f5a55fd8319be638a0974c634cae6e7e9dbcd89

SHA512
1de3dcd856f30004becee7c769d62530f3a5e9785c853537adc0a387d461c97b305f75cbaf13f278dd72ba22d4650e92c48edf3c3a74b13ed68ffc0d45e13774

Download Submit
\Users\Admin\AppData\Local\Temp\F1E.tmp\mlt.exe

Filesize
130KB

MD5
a4e26d32f9655dbe8efd276a530eb02b

SHA1
d194526518fddd34bfc75cc0575d9b5cf3e1e304

SHA256
4c2277c81cbf6c415ab874cfb32d3b0049c8b18ac7eee1dd6c1f5d9f5f043c83

SHA512
e77c58b321a1c696554b018cc51fad2f2df4bac39fa90f17a83ec646c90d67b6da5fccb2e80c468e2cf32cc7f9f3f62b160c3f0afbc2130faa1002ecde5b5676

Download Submit
\Users\Admin\AppData\Local\Temp\F1E.tmp\screenscrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
\Users\Admin\AppData\Local\Temp\F1E.tmp\z.exe

Filesize
412KB

MD5
a7ce5bee03c197f0a99427c4b590f4a0

SHA1
14d8617c51947fb49b3aba7e9aece83e5094cf71

SHA256
0c53a3ec2b432a9013546f92416109d7e8f64cea26ac2491635b4cf2a310d852

SHA512
7f3c56c42d899ada5acdc5c162391f9fa06455db08e6df0a57132ca5b1bb3d52e6dbc9342310480d45aa32915502aceb7552375a45d3fd1a54fee0e73af6024a

Download Submit
memory/988-228-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1088-224-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1760-187-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1760-226-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1760-110-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2268-0-0x0000000000400000-0x00000000006CF000-memory.dmp

Filesize
2.8MB

Download
memory/2268-97-0x0000000000400000-0x00000000006CF000-memory.dmp

Filesize
2.8MB

Download
memory/2268-282-0x0000000000400000-0x00000000006CF000-memory.dmp

Filesize
2.8MB

Download
memory/2324-159-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2324-98-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2528-47-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2528-51-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2744-277-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads