3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe
Size

83KB
MD5

96c7ee873c0d3d98ce5e8710f81d01c5
SHA1

3c0f3ac31c87ef0a40cef7e413e1e4b7ee9219a1
SHA256

3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b
SHA512

16e32d923f86ba3b497c95c322b889ac4bf697a9eb6c8a627d38449fd5fa73a425555d841f32ffad1ddc77f2665dd42c9a3dba17a7a9cd60175647757dd324f9
SSDEEP

1536:q4Gh0o4g0p3nouy8QbunMxVS3HgdoKjhLJh731xvsr:q4Gh0o4g05outQCMUyNjhLJh731xvsr

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43F0395D-87A1-48c9-8DC3-01F77ADC8785}	{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87604F2D-AA80-4e4b-B150-C1B04D2D3F76}\stubpath = "C:\\Windows\\{87604F2D-AA80-4e4b-B150-C1B04D2D3F76}.exe"	{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22589708-55A8-4835-83E2-780F024B407D}\stubpath = "C:\\Windows\\{22589708-55A8-4835-83E2-780F024B407D}.exe"	{87604F2D-AA80-4e4b-B150-C1B04D2D3F76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A1B4F35-035C-4f24-96BA-FFD744319E79}\stubpath = "C:\\Windows\\{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe"	{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}\stubpath = "C:\\Windows\\{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe"	{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}	{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}	{4F77C045-1525-49eb-8379-8D458643BB01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}\stubpath = "C:\\Windows\\{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe"	{4F77C045-1525-49eb-8379-8D458643BB01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}	{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}\stubpath = "C:\\Windows\\{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe"	{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{489B3ED0-BD27-478b-A742-1D35562CAC41}	{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{489B3ED0-BD27-478b-A742-1D35562CAC41}\stubpath = "C:\\Windows\\{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe"	{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F77C045-1525-49eb-8379-8D458643BB01}	{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F77C045-1525-49eb-8379-8D458643BB01}\stubpath = "C:\\Windows\\{4F77C045-1525-49eb-8379-8D458643BB01}.exe"	{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}	{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB12920B-C414-4995-9B69-8B02DA3C8D0D}	{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87604F2D-AA80-4e4b-B150-C1B04D2D3F76}	{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22589708-55A8-4835-83E2-780F024B407D}	{87604F2D-AA80-4e4b-B150-C1B04D2D3F76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}	3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}\stubpath = "C:\\Windows\\{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe"	3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43F0395D-87A1-48c9-8DC3-01F77ADC8785}\stubpath = "C:\\Windows\\{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe"	{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A1B4F35-035C-4f24-96BA-FFD744319E79}	{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}\stubpath = "C:\\Windows\\{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe"	{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB12920B-C414-4995-9B69-8B02DA3C8D0D}\stubpath = "C:\\Windows\\{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe"	{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe

Executes dropped EXE 12 IoCs

pid	Process
1984	{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe
2792	{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe
1472	{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe
2484	{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe
3792	{4F77C045-1525-49eb-8379-8D458643BB01}.exe
780	{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe
5004	{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe
472	{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe
3012	{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe
3720	{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe
4576	{87604F2D-AA80-4e4b-B150-C1B04D2D3F76}.exe
2848	{22589708-55A8-4835-83E2-780F024B407D}.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3264-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3264-1-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0004000000022723-4.dat	upx
behavioral2/memory/1984-5-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3264-7-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1984-8-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000e0000000233b3-11.dat	upx
behavioral2/memory/1984-13-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2792-14-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000b0000000234ef-15.dat	upx
behavioral2/memory/1472-20-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2792-19-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1472-21-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1472-25-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x00070000000234f7-24.dat	upx
behavioral2/memory/2484-26-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2484-28-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x00080000000234ff-31.dat	upx
behavioral2/memory/2484-32-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3792-33-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3792-35-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3792-39-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/780-40-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x00080000000234f7-38.dat	upx
behavioral2/memory/780-42-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x00090000000234ff-45.dat	upx
behavioral2/memory/780-46-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/5004-47-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/5004-49-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/5004-52-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0003000000000705-53.dat	upx
behavioral2/memory/472-54-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/472-56-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/472-60-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3012-61-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0003000000000707-58.dat	upx
behavioral2/memory/3012-63-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0004000000000705-66.dat	upx
behavioral2/memory/3012-68-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3720-69-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3720-70-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x00030000000006dd-73.dat	upx
behavioral2/memory/4576-75-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3720-74-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4576-77-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0003000000000709-80.dat	upx
behavioral2/memory/2848-83-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4576-81-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe	{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe
File created	C:\Windows\{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe	{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe
File created	C:\Windows\{87604F2D-AA80-4e4b-B150-C1B04D2D3F76}.exe	{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe
File created	C:\Windows\{22589708-55A8-4835-83E2-780F024B407D}.exe	{87604F2D-AA80-4e4b-B150-C1B04D2D3F76}.exe
File created	C:\Windows\{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe	{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe
File created	C:\Windows\{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe	{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe
File created	C:\Windows\{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe	{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe
File created	C:\Windows\{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe	{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe
File created	C:\Windows\{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe	{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe
File created	C:\Windows\{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe	3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe
File created	C:\Windows\{4F77C045-1525-49eb-8379-8D458643BB01}.exe	{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe
File created	C:\Windows\{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe	{4F77C045-1525-49eb-8379-8D458643BB01}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{87604F2D-AA80-4e4b-B150-C1B04D2D3F76}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4F77C045-1525-49eb-8379-8D458643BB01}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22589708-55A8-4835-83E2-780F024B407D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3264	3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe
Token: SeIncBasePriorityPrivilege	1984	{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe
Token: SeIncBasePriorityPrivilege	2792	{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe
Token: SeIncBasePriorityPrivilege	1472	{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe
Token: SeIncBasePriorityPrivilege	2484	{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe
Token: SeIncBasePriorityPrivilege	3792	{4F77C045-1525-49eb-8379-8D458643BB01}.exe
Token: SeIncBasePriorityPrivilege	780	{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe
Token: SeIncBasePriorityPrivilege	5004	{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe
Token: SeIncBasePriorityPrivilege	472	{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe
Token: SeIncBasePriorityPrivilege	3012	{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe
Token: SeIncBasePriorityPrivilege	3720	{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe
Token: SeIncBasePriorityPrivilege	4576	{87604F2D-AA80-4e4b-B150-C1B04D2D3F76}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 1984	3264	3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe	87
PID 3264 wrote to memory of 1984	3264	3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe	87
PID 3264 wrote to memory of 1984	3264	3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe	87
PID 3264 wrote to memory of 1836	3264	3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe	88
PID 3264 wrote to memory of 1836	3264	3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe	88
PID 3264 wrote to memory of 1836	3264	3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe	88
PID 1984 wrote to memory of 2792	1984	{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe	89
PID 1984 wrote to memory of 2792	1984	{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe	89
PID 1984 wrote to memory of 2792	1984	{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe	89
PID 1984 wrote to memory of 2368	1984	{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe	90
PID 1984 wrote to memory of 2368	1984	{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe	90
PID 1984 wrote to memory of 2368	1984	{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe	90
PID 2792 wrote to memory of 1472	2792	{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe	93
PID 2792 wrote to memory of 1472	2792	{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe	93
PID 2792 wrote to memory of 1472	2792	{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe	93
PID 2792 wrote to memory of 3608	2792	{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe	94
PID 2792 wrote to memory of 3608	2792	{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe	94
PID 2792 wrote to memory of 3608	2792	{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe	94
PID 1472 wrote to memory of 2484	1472	{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe	101
PID 1472 wrote to memory of 2484	1472	{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe	101
PID 1472 wrote to memory of 2484	1472	{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe	101
PID 1472 wrote to memory of 3540	1472	{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe	102
PID 1472 wrote to memory of 3540	1472	{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe	102
PID 1472 wrote to memory of 3540	1472	{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe	102
PID 2484 wrote to memory of 3792	2484	{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe	104
PID 2484 wrote to memory of 3792	2484	{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe	104
PID 2484 wrote to memory of 3792	2484	{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe	104
PID 2484 wrote to memory of 3472	2484	{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe	105
PID 2484 wrote to memory of 3472	2484	{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe	105
PID 2484 wrote to memory of 3472	2484	{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe	105
PID 3792 wrote to memory of 780	3792	{4F77C045-1525-49eb-8379-8D458643BB01}.exe	106
PID 3792 wrote to memory of 780	3792	{4F77C045-1525-49eb-8379-8D458643BB01}.exe	106
PID 3792 wrote to memory of 780	3792	{4F77C045-1525-49eb-8379-8D458643BB01}.exe	106
PID 3792 wrote to memory of 2776	3792	{4F77C045-1525-49eb-8379-8D458643BB01}.exe	107
PID 3792 wrote to memory of 2776	3792	{4F77C045-1525-49eb-8379-8D458643BB01}.exe	107
PID 3792 wrote to memory of 2776	3792	{4F77C045-1525-49eb-8379-8D458643BB01}.exe	107
PID 780 wrote to memory of 5004	780	{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe	108
PID 780 wrote to memory of 5004	780	{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe	108
PID 780 wrote to memory of 5004	780	{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe	108
PID 780 wrote to memory of 3060	780	{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe	109
PID 780 wrote to memory of 3060	780	{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe	109
PID 780 wrote to memory of 3060	780	{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe	109
PID 5004 wrote to memory of 472	5004	{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe	110
PID 5004 wrote to memory of 472	5004	{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe	110
PID 5004 wrote to memory of 472	5004	{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe	110
PID 5004 wrote to memory of 1240	5004	{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe	111
PID 5004 wrote to memory of 1240	5004	{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe	111
PID 5004 wrote to memory of 1240	5004	{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe	111
PID 472 wrote to memory of 3012	472	{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe	112
PID 472 wrote to memory of 3012	472	{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe	112
PID 472 wrote to memory of 3012	472	{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe	112
PID 472 wrote to memory of 4560	472	{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe	113
PID 472 wrote to memory of 4560	472	{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe	113
PID 472 wrote to memory of 4560	472	{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe	113
PID 3012 wrote to memory of 3720	3012	{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe	114
PID 3012 wrote to memory of 3720	3012	{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe	114
PID 3012 wrote to memory of 3720	3012	{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe	114
PID 3012 wrote to memory of 3028	3012	{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe	115
PID 3012 wrote to memory of 3028	3012	{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe	115
PID 3012 wrote to memory of 3028	3012	{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe	115
PID 3720 wrote to memory of 4576	3720	{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe	116
PID 3720 wrote to memory of 4576	3720	{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe	116
PID 3720 wrote to memory of 4576	3720	{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe	116
PID 3720 wrote to memory of 2156	3720	{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe	117

C:\Users\Admin\AppData\Local\Temp\3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe
"C:\Users\Admin\AppData\Local\Temp\3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe
  C:\Windows\{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe
    C:\Windows\{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe
      C:\Windows\{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe
        
        C:\Windows\{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\{4F77C045-1525-49eb-8379-8D458643BB01}.exe
        
        C:\Windows\{4F77C045-1525-49eb-8379-8D458643BB01}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe
        
        C:\Windows\{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe
        
        C:\Windows\{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe
        
        C:\Windows\{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe
        
        C:\Windows\{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe
        
        C:\Windows\{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\{87604F2D-AA80-4e4b-B150-C1B04D2D3F76}.exe
        
        C:\Windows\{87604F2D-AA80-4e4b-B150-C1B04D2D3F76}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
        
        C:\Windows\{22589708-55A8-4835-83E2-780F024B407D}.exe
        
        C:\Windows\{22589708-55A8-4835-83E2-780F024B407D}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87604~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB129~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43E56~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{040CC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A1B4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0854F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F77C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43F03~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{489B3~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4DDE6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{79A0F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3B8C3F~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{040CCF8D-AA5A-4d15-826E-9BAC4844DD49}.exe

Filesize
83KB

MD5
ef0a9eae414a8439350f9a64ed4974d0

SHA1
2c2490748b14d22e912f74d242f55188288332a2

SHA256
796c9890847f244538a1aadbc80f0d9f5f1f77782cb9ecd2254e48ab7609a7fd

SHA512
efe1633db91ecb6532fc8c82fa9acafc6e2919518ff23acf441c66d3c7d98dd7fc0d9e7a9afb732bd70a14e1473941328b93047f27b993dc71cc5491fdd3fe0c

Download Submit
C:\Windows\{0854FA8D-CB7A-47d9-B2A4-D17E6B5034DF}.exe

Filesize
83KB

MD5
e9fe66f28a08cccce1f59dc061d4af15

SHA1
0d23681bde40315439857fbf74f134e8c3dece95

SHA256
4a780d13e44d8fe24bbbe89550cc52382648b94e50470ecefaede12cf819bb65

SHA512
6f84f5bb8a1c03976ff623328a4febfba0d9518e0d104a0d955c6332194077d7604659b248a427581de970f672f642f9bb7580a062675e63cbdef29300dbec0c

Download Submit
C:\Windows\{0A1B4F35-035C-4f24-96BA-FFD744319E79}.exe

Filesize
83KB

MD5
085dda4e01a457dfe5f11947d0ff8c95

SHA1
6974e011b5fdf91f7e4fc31fdf9a230c7dd0a841

SHA256
8271ba2b3d5cfdf0ab2550842f8d559d96248d8fc9a73f6fca84ee91367e70c9

SHA512
62c31b6bcf765a6ba66718057237c6473773f1c243938a16514eb8b36075bea19629afb8c9a59c85ded09eccc082e7bc4c1a6ebd497d49a64550c68a6c8fd5dd

Download Submit
C:\Windows\{22589708-55A8-4835-83E2-780F024B407D}.exe

Filesize
83KB

MD5
ac074c69495ce60fa8d1d61d5f45d793

SHA1
017a3ac87e0b7880713b1e0c5397c246717ade7c

SHA256
14614cd395977811f808f417e3bd3fe007b7eed69b59c668d44e11e194b26cf0

SHA512
970f6ac2ac77a65d28402a31ca7a560307ea5b2e9eb26e43565264916b9e9f9aaad5cbaa9f87cd4af67c6ecd0eceb8a93dc4bb9c5dd598ea001b0cf91fa2eb5b

Download Submit
C:\Windows\{43E56BE1-58D5-445f-AE4A-7C5C7314EA2C}.exe

Filesize
83KB

MD5
9014c021cbc8b9826dc5c5900cf5238c

SHA1
ecd84e3fa7610aa39cc5c8a52b01616cf9987ffa

SHA256
916d13ee37331a0c61521708080a816bc3b451e7541317fd0ab49fe3bbf8ec5c

SHA512
7b3e11f9effc788d23cff6b63c7dea204b832a3c8fbb1e80c08e6026cdf5ab64e54489511f23a62813b534962cfe85ac089f4252169bd4a9567a5b2177ba21c5

Download Submit
C:\Windows\{43F0395D-87A1-48c9-8DC3-01F77ADC8785}.exe

Filesize
83KB

MD5
a49c3c6b6d0777094e550c1a161a3dd5

SHA1
be3e6d526fd7dadc39e36863c02af3b814db064e

SHA256
4b9a2346ef00ceadf77888d0f8765aed5ffe1f8c8c4f4c90ec0f3896b6f00bcb

SHA512
fb02be75621897d899ccc5638e42e3c0aa9fd34b4e90f0567d08e08955ad4a42d6ab24f6c219f91859b8150ccf6ad4a7df202e472aa9d778f120e4a45d96b471

Download Submit
C:\Windows\{489B3ED0-BD27-478b-A742-1D35562CAC41}.exe

Filesize
83KB

MD5
f022e39a63b6c40552355e7702af1328

SHA1
9e57ab24bcc0de713825ee6a7d8d9eb3f4d5e698

SHA256
221e34b74655ffcb8b12ed601cc552a6de11b31f4ff1ce98daabe9d70d318c19

SHA512
029bfa1fde506331693b0404a3de8f12fef110703935d3b80a4dc9888d73091336fd213cfa826043a018890bf6c57d44f8eae2808202dff8a4ff9df8952d51db

Download Submit
C:\Windows\{4DDE6D8C-C7BE-40a5-8CCE-7E10CC62B213}.exe

Filesize
83KB

MD5
6124427bb2595495c9cbb689e0e8367e

SHA1
820a0759f1750b5be25aac4fa7614329d2ed4a89

SHA256
f7093fa0abf1c5582e765e620033f252441069ced4e7ced6d26ec9eade33285a

SHA512
e082a39d5fe2df4a06d698fe0f7f3505861fbc0eec2f5462d68010a546cc703f89da4caf874b8a0525f04072711e8517ef835b0424a77b5c3ddd685a4d1d01d4

Download Submit
C:\Windows\{4F77C045-1525-49eb-8379-8D458643BB01}.exe

Filesize
83KB

MD5
1e6304f26b67ee499c812323e4b5d9b9

SHA1
b296757c966b423c43c0c73ae56f6802e42e5ca5

SHA256
5d32cd6f8089554aaf119e8ccb43f439750491f0ce15aa8e51927ba75352001c

SHA512
67318106f0168bc75a2148a19e4056655ed81c0795dd231404d3a963ae9291b61fda22d6a053d969a755e0faf7010ba3453aadacbccf613d12882044fb42bfd9

Download Submit
C:\Windows\{79A0F90A-E92E-4f81-9FFD-545CF36BFCF2}.exe

Filesize
83KB

MD5
b0b44ca4b6eea11369f4266aa58a0e99

SHA1
e2ecae1cdb760f14a362979fcdd244f1afb3a8e8

SHA256
5117ef23e8a130752b42f21744839a30f7006e3b62d1b83a1c5900a59957de44

SHA512
3df04f358f9b1d9a09de2c8ff8f82b758da1607bef0e5bcd5207bd2ba1757a6bf2c53fe5203a015fdadb37b647a81dfa0da39687f7ceabc68cdb725abc8c1861

Download Submit
C:\Windows\{87604F2D-AA80-4e4b-B150-C1B04D2D3F76}.exe

Filesize
83KB

MD5
1fe36020661ebc740999be57c53274c4

SHA1
06f5dacbd81f6b8034c7321cdc75c673f695c939

SHA256
b44a50dd55a407d327033b614e6822f819b77f28d0a571548df2830bbb7f9e34

SHA512
4f4e32893cca292a421e5bf6e2b9c17e82742e6034bb0512a3fb055aa687aca465126e405de0d04bd35292252ad3f86179db3654ffbf59db59626e4e9088e5b9

Download Submit
C:\Windows\{EB12920B-C414-4995-9B69-8B02DA3C8D0D}.exe

Filesize
83KB

MD5
69aac9cdefe6b4d3238d4dad89e77b6b

SHA1
7c2c374fa1930e990a7842816ba8feb37333e6aa

SHA256
47648db11c2dd3808d02ca613e55fe6fd7d4ab86ce7671a4da41ac7a765cc694

SHA512
56df22ee577883efb647fc63752f2b1ae7bfa0058d67b5f567429993e4c3bfc4754a34aae765ce5ec576e76f3a0a31aa86f26ad09513243889f4e404d6d0e96d

Download Submit
memory/472-56-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/472-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/472-60-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/780-46-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/780-42-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/780-40-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1472-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1472-25-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1472-20-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1984-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1984-5-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1984-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2484-32-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2484-28-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2484-26-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2792-19-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2792-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2848-83-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3012-68-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3012-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3012-61-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3264-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3264-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3264-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3720-70-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3720-69-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3720-74-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3792-33-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3792-39-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3792-35-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4576-75-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4576-77-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4576-81-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5004-47-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5004-52-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5004-49-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads