93cb7b35916302945f838f993c0e667e4ac9eed022088b4b300b3ad8e4ee7a71

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 00:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

93cb7b35916302945f838f993c0e667e4ac9eed022088b4b300b3ad8e4ee7a71.exe
Size

285KB
MD5

3895caf857ac1d86b5dea73b778e92d2
SHA1

c7ba457f4df341aa69ea3a16a5f31011fd9081c4
SHA256

93cb7b35916302945f838f993c0e667e4ac9eed022088b4b300b3ad8e4ee7a71
SHA512

847fdea019f2291b78e5c820e106cbb45234a0310aa15ea952fd2dd4bbfcde71abbe24b2ed0c4aeaee8a8332ffdd1d2d271fc27fcbf2d79376a13bc1f7e472f4
SSDEEP

6144:+ZyKE4FBg+XHnZYkQGmzRrOEg0q/vjLm1AHkUm1Ys8xiV4DvtsJRlVDqa8GzNHL1:NBaBnmtOwq/+1MkU68raJRHua8G9LcoH

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe = "C:\\Users\\Admin\\AppData\\Roaming\\JavaWeb\\jusched.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe

UPX dump on OEP (original entry point) 22 IoCs

resource	yara_rule
behavioral2/memory/1160-0-0x0000000000400000-0x00000000005A8000-memory.dmp	UPX
behavioral2/files/0x0007000000023400-16.dat	UPX
behavioral2/memory/1160-28-0x0000000000400000-0x00000000005A8000-memory.dmp	UPX
behavioral2/memory/3644-31-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/3644-34-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/3644-35-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/5776-36-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/memory/5776-40-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/memory/5776-42-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/memory/2920-43-0x0000000000400000-0x00000000005A8000-memory.dmp	UPX
behavioral2/memory/3644-49-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/5776-50-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/memory/3644-51-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/3644-52-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/3644-56-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/3644-58-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/3644-60-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/3644-63-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/3644-67-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/3644-70-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/3644-72-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/3644-74-0x0000000000400000-0x000000000045C000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	93cb7b35916302945f838f993c0e667e4ac9eed022088b4b300b3ad8e4ee7a71.exe

Executes dropped EXE 3 IoCs

pid	Process
2920	jusched.exe
3644	jusched.exe
5776	jusched.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1160-0-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral2/files/0x0007000000023400-16.dat	upx
behavioral2/memory/1160-28-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral2/memory/3644-31-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3644-34-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3644-35-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/5776-36-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/5776-40-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/5776-42-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2920-43-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral2/memory/3644-49-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/5776-50-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3644-51-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3644-52-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3644-56-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3644-58-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3644-60-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3644-63-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3644-67-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3644-70-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3644-72-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3644-74-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Machine = "C:\\Users\\Admin\\AppData\\Roaming\\JavaWeb\\jusched.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 3644	2920	jusched.exe	93
PID 2920 set thread context of 5776	2920	jusched.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
5516	reg.exe
4228	reg.exe
5184	reg.exe
5612	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	3644	jusched.exe
Token: SeCreateTokenPrivilege	3644	jusched.exe
Token: SeAssignPrimaryTokenPrivilege	3644	jusched.exe
Token: SeLockMemoryPrivilege	3644	jusched.exe
Token: SeIncreaseQuotaPrivilege	3644	jusched.exe
Token: SeMachineAccountPrivilege	3644	jusched.exe
Token: SeTcbPrivilege	3644	jusched.exe
Token: SeSecurityPrivilege	3644	jusched.exe
Token: SeTakeOwnershipPrivilege	3644	jusched.exe
Token: SeLoadDriverPrivilege	3644	jusched.exe
Token: SeSystemProfilePrivilege	3644	jusched.exe
Token: SeSystemtimePrivilege	3644	jusched.exe
Token: SeProfSingleProcessPrivilege	3644	jusched.exe
Token: SeIncBasePriorityPrivilege	3644	jusched.exe
Token: SeCreatePagefilePrivilege	3644	jusched.exe
Token: SeCreatePermanentPrivilege	3644	jusched.exe
Token: SeBackupPrivilege	3644	jusched.exe
Token: SeRestorePrivilege	3644	jusched.exe
Token: SeShutdownPrivilege	3644	jusched.exe
Token: SeDebugPrivilege	3644	jusched.exe
Token: SeAuditPrivilege	3644	jusched.exe
Token: SeSystemEnvironmentPrivilege	3644	jusched.exe
Token: SeChangeNotifyPrivilege	3644	jusched.exe
Token: SeRemoteShutdownPrivilege	3644	jusched.exe
Token: SeUndockPrivilege	3644	jusched.exe
Token: SeSyncAgentPrivilege	3644	jusched.exe
Token: SeEnableDelegationPrivilege	3644	jusched.exe
Token: SeManageVolumePrivilege	3644	jusched.exe
Token: SeImpersonatePrivilege	3644	jusched.exe
Token: SeCreateGlobalPrivilege	3644	jusched.exe
Token: 31	3644	jusched.exe
Token: 32	3644	jusched.exe
Token: 33	3644	jusched.exe
Token: 34	3644	jusched.exe
Token: 35	3644	jusched.exe
Token: SeDebugPrivilege	5776	jusched.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1160	93cb7b35916302945f838f993c0e667e4ac9eed022088b4b300b3ad8e4ee7a71.exe
2920	jusched.exe
3644	jusched.exe
3644	jusched.exe
5776	jusched.exe
3644	jusched.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 3928	1160	93cb7b35916302945f838f993c0e667e4ac9eed022088b4b300b3ad8e4ee7a71.exe	87
PID 1160 wrote to memory of 3928	1160	93cb7b35916302945f838f993c0e667e4ac9eed022088b4b300b3ad8e4ee7a71.exe	87
PID 1160 wrote to memory of 3928	1160	93cb7b35916302945f838f993c0e667e4ac9eed022088b4b300b3ad8e4ee7a71.exe	87
PID 3928 wrote to memory of 3976	3928	cmd.exe	91
PID 3928 wrote to memory of 3976	3928	cmd.exe	91
PID 3928 wrote to memory of 3976	3928	cmd.exe	91
PID 1160 wrote to memory of 2920	1160	93cb7b35916302945f838f993c0e667e4ac9eed022088b4b300b3ad8e4ee7a71.exe	92
PID 1160 wrote to memory of 2920	1160	93cb7b35916302945f838f993c0e667e4ac9eed022088b4b300b3ad8e4ee7a71.exe	92
PID 1160 wrote to memory of 2920	1160	93cb7b35916302945f838f993c0e667e4ac9eed022088b4b300b3ad8e4ee7a71.exe	92
PID 2920 wrote to memory of 3644	2920	jusched.exe	93
PID 2920 wrote to memory of 3644	2920	jusched.exe	93
PID 2920 wrote to memory of 3644	2920	jusched.exe	93
PID 2920 wrote to memory of 3644	2920	jusched.exe	93
PID 2920 wrote to memory of 3644	2920	jusched.exe	93
PID 2920 wrote to memory of 3644	2920	jusched.exe	93
PID 2920 wrote to memory of 3644	2920	jusched.exe	93
PID 2920 wrote to memory of 3644	2920	jusched.exe	93
PID 2920 wrote to memory of 5776	2920	jusched.exe	94
PID 2920 wrote to memory of 5776	2920	jusched.exe	94
PID 2920 wrote to memory of 5776	2920	jusched.exe	94
PID 2920 wrote to memory of 5776	2920	jusched.exe	94
PID 2920 wrote to memory of 5776	2920	jusched.exe	94
PID 2920 wrote to memory of 5776	2920	jusched.exe	94
PID 2920 wrote to memory of 5776	2920	jusched.exe	94
PID 2920 wrote to memory of 5776	2920	jusched.exe	94
PID 3644 wrote to memory of 1920	3644	jusched.exe	95
PID 3644 wrote to memory of 1920	3644	jusched.exe	95
PID 3644 wrote to memory of 1920	3644	jusched.exe	95
PID 3644 wrote to memory of 2408	3644	jusched.exe	96
PID 3644 wrote to memory of 2408	3644	jusched.exe	96
PID 3644 wrote to memory of 2408	3644	jusched.exe	96
PID 3644 wrote to memory of 3092	3644	jusched.exe	97
PID 3644 wrote to memory of 3092	3644	jusched.exe	97
PID 3644 wrote to memory of 3092	3644	jusched.exe	97
PID 3644 wrote to memory of 2536	3644	jusched.exe	99
PID 3644 wrote to memory of 2536	3644	jusched.exe	99
PID 3644 wrote to memory of 2536	3644	jusched.exe	99
PID 1920 wrote to memory of 5516	1920	cmd.exe	103
PID 1920 wrote to memory of 5516	1920	cmd.exe	103
PID 1920 wrote to memory of 5516	1920	cmd.exe	103
PID 3092 wrote to memory of 4228	3092	cmd.exe	104
PID 3092 wrote to memory of 4228	3092	cmd.exe	104
PID 3092 wrote to memory of 4228	3092	cmd.exe	104
PID 2408 wrote to memory of 5184	2408	cmd.exe	105
PID 2408 wrote to memory of 5184	2408	cmd.exe	105
PID 2408 wrote to memory of 5184	2408	cmd.exe	105
PID 2536 wrote to memory of 5612	2536	cmd.exe	106
PID 2536 wrote to memory of 5612	2536	cmd.exe	106
PID 2536 wrote to memory of 5612	2536	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\93cb7b35916302945f838f993c0e667e4ac9eed022088b4b300b3ad8e4ee7a71.exe
"C:\Users\Admin\AppData\Local\Temp\93cb7b35916302945f838f993c0e667e4ac9eed022088b4b300b3ad8e4ee7a71.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XVQAx.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Machine" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3976
- C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
  "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
    C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:5516
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:5184
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:5612
- - C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
    C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XVQAx.txt

Filesize
149B

MD5
976ffa9a304b234c039c8739d97bb893

SHA1
f70f7ede8b6e5d1b8a9b53c9bf43882485b55bd6

SHA256
2b77cf051bb584aada8b9e5e07cba06e2077b42f009c33d10e31994ceec10384

SHA512
1bd398b968736efbab740c81776781023a4ef0dc1c0191d6393a7582bd79b452666163691d82a27ee8989a1e293e6d6df57c303aa9b34497ae52be417f9e269c

Download Submit
C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.txt

Filesize
285KB

MD5
29052b1ba098ee25e9a89083638413fb

SHA1
88fdd3539a6620c27f4ff0323f47a248beaab5fa

SHA256
22f3eca9bd3647618aab4cd1f5dc06e7b6584e1ca1b41c26b538d7d62e12b8ad

SHA512
2fba5adeac3d63b8a1df22d91ec5be6b074d700e4a9327461fe224388261c8f95af66c6f20c035609714802dbe025baab7e0895fa9feac90ddab7fa6d8c6fa92

Download Submit
memory/1160-0-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/1160-28-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/2920-43-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/3644-34-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-52-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-74-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-72-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-70-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-31-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-49-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-67-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-51-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-35-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-56-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-58-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-60-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-63-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5776-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5776-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5776-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5776-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads