e53c9ef16e478d900bdcfb2ee2bdc909601cb711085cf2a8ea563e56b7a669c7

General

Target

79534d06d99f1483c3d47515fb7fb150N.exe
Size

1.8MB
MD5

79534d06d99f1483c3d47515fb7fb150
SHA1

246463a688603fe18a871eb003299a0553b6beb4
SHA256

e53c9ef16e478d900bdcfb2ee2bdc909601cb711085cf2a8ea563e56b7a669c7
SHA512

2ddddc81c2d0f527752be826a791db50a6715c5889c7965da953cfe7102b2860ed3409e6e239b67a835f5c7b3f3e37cfbce1aa4a23c7f7ec67d76876421a8e15
SSDEEP

49152:bVA4fBDGeLp63a3/cKgzR/iJdIwQZFJD68dGYWPbmnq0G2SImeGf0g+gS6ZI8u4k:bVA4fBDGeLp6K3/cKgzR/iJdIwQZFJD3

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

79534d06d99f1483c3d47515fb7fb150N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	79534d06d99f1483c3d47515fb7fb150N.exe

Executes dropped EXE 3 IoCs

Processes:

Firefox.exeFirefox.exeFirefox.exe

pid process

2120 Firefox.exe
548 Firefox.exe
3136 Firefox.exe

pid	process
2120	Firefox.exe
548	Firefox.exe
3136	Firefox.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/548-34-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/548-36-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/3136-37-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3136-43-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3136-44-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/548-31-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/548-49-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/3136-50-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/548-51-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/548-55-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/548-62-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/548-73-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater 3 = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Firefox.exe

description	pid	process	target process
PID 2120 set thread context of 548	2120	Firefox.exe	Firefox.exe
PID 2120 set thread context of 3136	2120	Firefox.exe	Firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exe79534d06d99f1483c3d47515fb7fb150N.exereg.exeFirefox.execmd.execmd.exeFirefox.exereg.exeFirefox.exereg.execmd.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79534d06d99f1483c3d47515fb7fb150N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

3028 reg.exe
5020 reg.exe
1136 reg.exe
3872 reg.exe

pid	process
3028	reg.exe
5020	reg.exe
1136	reg.exe
3872	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

Firefox.exeFirefox.exe

description	pid	process
Token: 1	548	Firefox.exe
Token: SeCreateTokenPrivilege	548	Firefox.exe
Token: SeAssignPrimaryTokenPrivilege	548	Firefox.exe
Token: SeLockMemoryPrivilege	548	Firefox.exe
Token: SeIncreaseQuotaPrivilege	548	Firefox.exe
Token: SeMachineAccountPrivilege	548	Firefox.exe
Token: SeTcbPrivilege	548	Firefox.exe
Token: SeSecurityPrivilege	548	Firefox.exe
Token: SeTakeOwnershipPrivilege	548	Firefox.exe
Token: SeLoadDriverPrivilege	548	Firefox.exe
Token: SeSystemProfilePrivilege	548	Firefox.exe
Token: SeSystemtimePrivilege	548	Firefox.exe
Token: SeProfSingleProcessPrivilege	548	Firefox.exe
Token: SeIncBasePriorityPrivilege	548	Firefox.exe
Token: SeCreatePagefilePrivilege	548	Firefox.exe
Token: SeCreatePermanentPrivilege	548	Firefox.exe
Token: SeBackupPrivilege	548	Firefox.exe
Token: SeRestorePrivilege	548	Firefox.exe
Token: SeShutdownPrivilege	548	Firefox.exe
Token: SeDebugPrivilege	548	Firefox.exe
Token: SeAuditPrivilege	548	Firefox.exe
Token: SeSystemEnvironmentPrivilege	548	Firefox.exe
Token: SeChangeNotifyPrivilege	548	Firefox.exe
Token: SeRemoteShutdownPrivilege	548	Firefox.exe
Token: SeUndockPrivilege	548	Firefox.exe
Token: SeSyncAgentPrivilege	548	Firefox.exe
Token: SeEnableDelegationPrivilege	548	Firefox.exe
Token: SeManageVolumePrivilege	548	Firefox.exe
Token: SeImpersonatePrivilege	548	Firefox.exe
Token: SeCreateGlobalPrivilege	548	Firefox.exe
Token: 31	548	Firefox.exe
Token: 32	548	Firefox.exe
Token: 33	548	Firefox.exe
Token: 34	548	Firefox.exe
Token: 35	548	Firefox.exe
Token: SeDebugPrivilege	3136	Firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

79534d06d99f1483c3d47515fb7fb150N.exeFirefox.exeFirefox.exeFirefox.exe

pid process

3524 79534d06d99f1483c3d47515fb7fb150N.exe
2120 Firefox.exe
548 Firefox.exe
548 Firefox.exe
3136 Firefox.exe
548 Firefox.exe

pid	process
3524	79534d06d99f1483c3d47515fb7fb150N.exe
2120	Firefox.exe
548	Firefox.exe
548	Firefox.exe
3136	Firefox.exe
548	Firefox.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

79534d06d99f1483c3d47515fb7fb150N.execmd.exeFirefox.exeFirefox.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3524 wrote to memory of 5096	3524	79534d06d99f1483c3d47515fb7fb150N.exe	cmd.exe
PID 3524 wrote to memory of 5096	3524	79534d06d99f1483c3d47515fb7fb150N.exe	cmd.exe
PID 3524 wrote to memory of 5096	3524	79534d06d99f1483c3d47515fb7fb150N.exe	cmd.exe
PID 5096 wrote to memory of 3096	5096	cmd.exe	reg.exe
PID 5096 wrote to memory of 3096	5096	cmd.exe	reg.exe
PID 5096 wrote to memory of 3096	5096	cmd.exe	reg.exe
PID 3524 wrote to memory of 2120	3524	79534d06d99f1483c3d47515fb7fb150N.exe	Firefox.exe
PID 3524 wrote to memory of 2120	3524	79534d06d99f1483c3d47515fb7fb150N.exe	Firefox.exe
PID 3524 wrote to memory of 2120	3524	79534d06d99f1483c3d47515fb7fb150N.exe	Firefox.exe
PID 2120 wrote to memory of 548	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 548	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 548	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 548	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 548	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 548	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 548	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 548	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 3136	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 3136	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 3136	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 3136	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 3136	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 3136	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 3136	2120	Firefox.exe	Firefox.exe
PID 2120 wrote to memory of 3136	2120	Firefox.exe	Firefox.exe
PID 548 wrote to memory of 5072	548	Firefox.exe	cmd.exe
PID 548 wrote to memory of 5072	548	Firefox.exe	cmd.exe
PID 548 wrote to memory of 5072	548	Firefox.exe	cmd.exe
PID 548 wrote to memory of 5080	548	Firefox.exe	cmd.exe
PID 548 wrote to memory of 5080	548	Firefox.exe	cmd.exe
PID 548 wrote to memory of 5080	548	Firefox.exe	cmd.exe
PID 548 wrote to memory of 2284	548	Firefox.exe	cmd.exe
PID 548 wrote to memory of 2284	548	Firefox.exe	cmd.exe
PID 548 wrote to memory of 2284	548	Firefox.exe	cmd.exe
PID 548 wrote to memory of 2976	548	Firefox.exe	cmd.exe
PID 548 wrote to memory of 2976	548	Firefox.exe	cmd.exe
PID 548 wrote to memory of 2976	548	Firefox.exe	cmd.exe
PID 5080 wrote to memory of 3028	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 3028	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 3028	5080	cmd.exe	reg.exe
PID 5072 wrote to memory of 5020	5072	cmd.exe	reg.exe
PID 5072 wrote to memory of 5020	5072	cmd.exe	reg.exe
PID 5072 wrote to memory of 5020	5072	cmd.exe	reg.exe
PID 2976 wrote to memory of 1136	2976	cmd.exe	reg.exe
PID 2976 wrote to memory of 1136	2976	cmd.exe	reg.exe
PID 2976 wrote to memory of 1136	2976	cmd.exe	reg.exe
PID 2284 wrote to memory of 3872	2284	cmd.exe	reg.exe
PID 2284 wrote to memory of 3872	2284	cmd.exe	reg.exe
PID 2284 wrote to memory of 3872	2284	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\79534d06d99f1483c3d47515fb7fb150N.exe
"C:\Users\Admin\AppData\Local\Temp\79534d06d99f1483c3d47515fb7fb150N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQPhg.bat" "
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Updater 3" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe" /f
3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3096

C:\Users\Admin\AppData\Roaming\Firefox.exe
"C:\Users\Admin\AppData\Roaming\Firefox.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Roaming\Firefox.exe
C:\Users\Admin\AppData\Roaming\Firefox.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5020

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3872

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1136

C:\Users\Admin\AppData\Roaming\Firefox.exe
C:\Users\Admin\AppData\Roaming\Firefox.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GQPhg.bat

Filesize
143B

MD5
962bc493b87f298696ad6e3eed7c7937

SHA1
985cc0c7e37e2465c4349abd528e120663ebd205

SHA256
c167e2faa5307ac291ff833b8a1f5f802eaa028d1aba8d1ad342ca84c07bdb01

SHA512
9dd2b755a404b74206b713ab17d2ddedacc48910e942dab71cf7e98d8d25322c24e32648f0881136e5425134aaccfbfd9bdc52ceb4519bd07e97c5564116f173

Download Submit
C:\Users\Admin\AppData\Roaming\Firefox.txt

Filesize
1.8MB

MD5
fd8232d665166b288cb329df0f82c416

SHA1
6d883b5ce8fc9996c90d134a32d434154e4fd085

SHA256
dca7c96e4101359f2859362ef64d58d4b013a1b970ed38515821532545d10d5d

SHA512
a8b3d9586dd29750ff6bdbd265cb2cfbeb263aae4ec049127b996cfb1a3d80aa9e0cac55257b0bc2ea3279e53206ec2c3631507ba88a179cbdfbdb24d2a694da

Download Submit
memory/548-49-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/548-34-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/548-36-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/548-31-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/548-51-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/548-55-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/548-62-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/548-73-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3136-37-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3136-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3136-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3136-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3524-0-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads