2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6

General

Target

2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
Size

5.4MB
MD5

2cf8e658c125ab577a4796a7e58e03ae
SHA1

ad6e809d428862584d327f570693effd223c9944
SHA256

2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6
SHA512

9cfff2e8c7ff373c9d39dc563e80773c0a2b727f76aeea17e1cb6877afe1c55067f92076ed2c20164b21a9ad3dcc00948c01ee40de68ea30d8db67d2aa8de5fb
SSDEEP

98304:n2kVbc4gkJBAUZLDATC2oLbxLeORVOumgkGUa0o:lwDkJV/AG2oLb0OHmWn0o

Score

9^/10

bootkit oss_ak persistence

Malware Config

Signatures

detect oss ak 7 IoCs

oss ak information detected.

oss_ak

Processes:

resource	yara_rule
\Program Files\Windows Media Player\wmplayer\wmplayer.exe	detect_ak_stuff
behavioral1/memory/2692-42-0x0000000000400000-0x00000000007CA000-memory.dmp	detect_ak_stuff
behavioral1/memory/2692-29-0x0000000000400000-0x00000000007CA000-memory.dmp	detect_ak_stuff
behavioral1/memory/2692-26-0x0000000000400000-0x00000000007CA000-memory.dmp	detect_ak_stuff
behavioral1/memory/2692-25-0x0000000000400000-0x00000000007CA000-memory.dmp	detect_ak_stuff
behavioral1/memory/2692-22-0x0000000000400000-0x00000000007CA000-memory.dmp	detect_ak_stuff
behavioral1/memory/2692-43-0x0000000000400000-0x00000000007CA000-memory.dmp	detect_ak_stuff

Executes dropped EXE 1 IoCs

Processes:

wmplayer.exe

pid process

2616 wmplayer.exe
Loads dropped DLL 1 IoCs

Processes:

2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe

pid process

2232 2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe

pid	process
2616	wmplayer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmplayer.exesvchost.exe2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe

description	ioc	process
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\R:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\X:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\K:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\Q:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\A:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\Z:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\I:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\U:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\T:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\W:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\S:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\L:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\G:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\H:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\Y:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\J:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\N:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\V:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\P:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\B:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\E:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\O:	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\S:	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

wmplayer.exe

description pid process target process

PID 2616 set thread context of 2692 2616 wmplayer.exe svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

description	pid	process	target process
PID 2616 set thread context of 2692	2616	wmplayer.exe	svchost.exe

Drops file in Program Files directory 4 IoCs

Processes:

2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\wmplayer\LSML\	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer\	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File created	C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer\LSML\PZ.w	svchost.exe

Drops file in Windows directory 3 IoCs

Processes:

2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exewmplayer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\RECYCLE.BIN	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
File opened for modification	C:\Windows\RECYCLE.BIN	wmplayer.exe
File opened for modification	C:\Windows\RECYCLE.BIN	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2708 schtasks.exe

pid	process
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exewmplayer.exesvchost.exe

pid	process
2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
2616	wmplayer.exe
2616	wmplayer.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exewmplayer.exesvchost.exe

pid	process
2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
2948	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
2948	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
2616	wmplayer.exe
2616	wmplayer.exe
2692	svchost.exe
2692	svchost.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.execmd.execmd.execmd.exewmplayer.exe

description	pid	process	target process
PID 2232 wrote to memory of 2948	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
PID 2232 wrote to memory of 2948	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
PID 2232 wrote to memory of 2948	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
PID 2232 wrote to memory of 2948	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
PID 2232 wrote to memory of 2836	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	cmd.exe
PID 2232 wrote to memory of 2836	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	cmd.exe
PID 2232 wrote to memory of 2836	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	cmd.exe
PID 2232 wrote to memory of 2836	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	cmd.exe
PID 2836 wrote to memory of 1576	2836	cmd.exe	schtasks.exe
PID 2836 wrote to memory of 1576	2836	cmd.exe	schtasks.exe
PID 2836 wrote to memory of 1576	2836	cmd.exe	schtasks.exe
PID 2836 wrote to memory of 1576	2836	cmd.exe	schtasks.exe
PID 2232 wrote to memory of 2360	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	cmd.exe
PID 2232 wrote to memory of 2360	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	cmd.exe
PID 2232 wrote to memory of 2360	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	cmd.exe
PID 2232 wrote to memory of 2360	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	cmd.exe
PID 2360 wrote to memory of 2708	2360	cmd.exe	schtasks.exe
PID 2360 wrote to memory of 2708	2360	cmd.exe	schtasks.exe
PID 2360 wrote to memory of 2708	2360	cmd.exe	schtasks.exe
PID 2360 wrote to memory of 2708	2360	cmd.exe	schtasks.exe
PID 2232 wrote to memory of 2740	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	cmd.exe
PID 2232 wrote to memory of 2740	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	cmd.exe
PID 2232 wrote to memory of 2740	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	cmd.exe
PID 2232 wrote to memory of 2740	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	cmd.exe
PID 2740 wrote to memory of 2668	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2668	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2668	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2668	2740	cmd.exe	reg.exe
PID 2232 wrote to memory of 2616	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	wmplayer.exe
PID 2232 wrote to memory of 2616	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	wmplayer.exe
PID 2232 wrote to memory of 2616	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	wmplayer.exe
PID 2232 wrote to memory of 2616	2232	2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe	wmplayer.exe
PID 2616 wrote to memory of 2692	2616	wmplayer.exe	svchost.exe
PID 2616 wrote to memory of 2692	2616	wmplayer.exe	svchost.exe
PID 2616 wrote to memory of 2692	2616	wmplayer.exe	svchost.exe
PID 2616 wrote to memory of 2692	2616	wmplayer.exe	svchost.exe
PID 2616 wrote to memory of 2692	2616	wmplayer.exe	svchost.exe
PID 2616 wrote to memory of 2692	2616	wmplayer.exe	svchost.exe
PID 2616 wrote to memory of 2692	2616	wmplayer.exe	svchost.exe
PID 2616 wrote to memory of 2692	2616	wmplayer.exe	svchost.exe
PID 2616 wrote to memory of 2692	2616	wmplayer.exe	svchost.exe
PID 2616 wrote to memory of 2692	2616	wmplayer.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
"C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /delete /tn WindowsMediaPlayer /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn WindowsMediaPlayer /f
3⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /tn WindowsMediaPlayer /tr "\"C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe\"" /SC ONLOGON /delay 0000:03 /RL HIGHEST
2⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn WindowsMediaPlayer /tr "\"C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe\"" /SC ONLOGON /delay 0000:03 /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
3⤵
PID:2668

C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe
"C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
3⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\RECYCLE.BIN
Filesize
463B

MD5
d80c93252b25b8d1b73c3c33d829e272

SHA1
e90ed95a08585b71f9f22b46d2bfb4d2ce13edc7

SHA256
0fd4ff0abffd1dc281bdfeac46df6a48dfc0cb7ed129726eb1abba5a2987447c

SHA512
a362a3338676ddb8b05e226ab6026759d25331dc7ab528e6e852dc1a84a09a6eeb73d5c6a731cc2428d491654cb381b2b81320bdc361ad033db0a4a70fb8c911

Download Submit
C:\Windows\RECYCLE.BIN
Filesize
532B

MD5
ef0eb3bf0176e59ed7025e27e1a07d81

SHA1
bc00ff141dd12ce60ee2e1b3b115700ea4bfcdff

SHA256
0c97abe8babae040749aed28eb33743e608e9f20cae5d27304501ed630969772

SHA512
4de1cef3b6a0f2cb938ebe51145884e9825ad7becafc0b50ab8ab76ed3c52d5845df21da54feddec3d7faf0afac4d303ab7e946bb9b772bd9d76b2b9082fef68

Download Submit
\Program Files\Windows Media Player\wmplayer\wmplayer.exe
Filesize
3.4MB

MD5
785124e9e0ab753f092765d87db2e6c5

SHA1
134dc470100b161a9d532608525d81a7e4abb671

SHA256
8c597cb6a277c0a0527bf287cb1612ab8a70df4b938603eaaf3f404bbd90d336

SHA512
bf48d9cb3179c4aa1a2d91798c22a58532f31d36194a52c195aa138773e97359e07d82c3679547e299f10a4dc261712a9ee1c8c8e51037c63251dc00d713477b

Download Submit
memory/2692-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-20-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2692-42-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2692-18-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2692-29-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2692-26-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2692-25-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2692-22-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2692-19-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2692-43-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads