55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe
Size

83KB
MD5

3f31419738594f62a08d726535d49141
SHA1

5dbf3634936c7cefa16f886bc0334d4063aec231
SHA256

55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e
SHA512

d789b547058fb875ebe79aa5ab5f66bb4056dda15f64303c1efba48535fa6716569fb21e30eb207f0075aadab6779767a68b6a8e28cf8e6355caa09c03f6d02b
SSDEEP

1536:q4Gh0o4R0p3nouy8QbunMxVS3HgdoKjhLJh731xvsr:q4Gh0o4R05outQCMUyNjhLJh731xvsr

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59150BE3-A8EC-44c6-BC69-A8F0CBC1A153}\stubpath = "C:\\Windows\\{59150BE3-A8EC-44c6-BC69-A8F0CBC1A153}.exe"	{C3EB95CE-B2BF-4782-B3FD-67258DD97EFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}\stubpath = "C:\\Windows\\{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe"	55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97D90738-7D5B-4642-8CFA-82C1754BBCE5}\stubpath = "C:\\Windows\\{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe"	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{798C9ECA-1AFF-45b5-BB62-C9DE37DF97AD}	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61481E6F-6B1E-4999-B85A-FE3D7F0B1BF5}\stubpath = "C:\\Windows\\{61481E6F-6B1E-4999-B85A-FE3D7F0B1BF5}.exe"	{59150BE3-A8EC-44c6-BC69-A8F0CBC1A153}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}	55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE7461A9-C563-46d9-876A-A5C6B8F355FB}\stubpath = "C:\\Windows\\{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe"	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}\stubpath = "C:\\Windows\\{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe"	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE7461A9-C563-46d9-876A-A5C6B8F355FB}	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99C6AF37-7637-4044-B51D-6E01E756D512}	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3EB95CE-B2BF-4782-B3FD-67258DD97EFB}	{798C9ECA-1AFF-45b5-BB62-C9DE37DF97AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97D90738-7D5B-4642-8CFA-82C1754BBCE5}	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C424EB8-8688-4e29-8450-789007D6FD34}\stubpath = "C:\\Windows\\{6C424EB8-8688-4e29-8450-789007D6FD34}.exe"	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}\stubpath = "C:\\Windows\\{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe"	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3EB95CE-B2BF-4782-B3FD-67258DD97EFB}\stubpath = "C:\\Windows\\{C3EB95CE-B2BF-4782-B3FD-67258DD97EFB}.exe"	{798C9ECA-1AFF-45b5-BB62-C9DE37DF97AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59150BE3-A8EC-44c6-BC69-A8F0CBC1A153}	{C3EB95CE-B2BF-4782-B3FD-67258DD97EFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61481E6F-6B1E-4999-B85A-FE3D7F0B1BF5}	{59150BE3-A8EC-44c6-BC69-A8F0CBC1A153}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C424EB8-8688-4e29-8450-789007D6FD34}	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99C6AF37-7637-4044-B51D-6E01E756D512}\stubpath = "C:\\Windows\\{99C6AF37-7637-4044-B51D-6E01E756D512}.exe"	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{798C9ECA-1AFF-45b5-BB62-C9DE37DF97AD}\stubpath = "C:\\Windows\\{798C9ECA-1AFF-45b5-BB62-C9DE37DF97AD}.exe"	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe

Deletes itself 1 IoCs

pid	Process
2188	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2368	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe
2908	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe
2284	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe
2636	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe
2352	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe
1180	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe
1884	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe
2844	{798C9ECA-1AFF-45b5-BB62-C9DE37DF97AD}.exe
444	{C3EB95CE-B2BF-4782-B3FD-67258DD97EFB}.exe
1532	{59150BE3-A8EC-44c6-BC69-A8F0CBC1A153}.exe
344	{61481E6F-6B1E-4999-B85A-FE3D7F0B1BF5}.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2332-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2332-1-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2332-3-0x00000000004B0000-0x00000000004C3000-memory.dmp	upx
behavioral1/memory/2368-9-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-8.dat	upx
behavioral1/memory/2332-10-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2368-18-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2368-14-0x00000000003E0000-0x00000000003F3000-memory.dmp	upx
behavioral1/files/0x000d0000000131aa-19.dat	upx
behavioral1/memory/2908-20-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2908-24-0x00000000003E0000-0x00000000003F3000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-29.dat	upx
behavioral1/memory/2908-28-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2284-30-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2284-34-0x00000000003E0000-0x00000000003F3000-memory.dmp	upx
behavioral1/files/0x000e0000000131aa-39.dat	upx
behavioral1/memory/2284-40-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2636-41-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2636-48-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2352-50-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0006000000004ed7-49.dat	upx
behavioral1/memory/2352-51-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2352-55-0x00000000002F0000-0x0000000000303000-memory.dmp	upx
behavioral1/memory/2352-61-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1180-62-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000f0000000131aa-60.dat	upx
behavioral1/memory/1884-71-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0007000000004ed7-70.dat	upx
behavioral1/memory/1180-69-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1884-72-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1884-80-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1884-76-0x0000000000390000-0x00000000003A3000-memory.dmp	upx
behavioral1/files/0x00100000000131aa-81.dat	upx
behavioral1/memory/2844-82-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2844-85-0x0000000000320000-0x0000000000333000-memory.dmp	upx
behavioral1/memory/2844-91-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0008000000004ed7-90.dat	upx
behavioral1/memory/444-92-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/444-95-0x00000000004B0000-0x00000000004C3000-memory.dmp	upx
behavioral1/memory/444-100-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x00110000000131aa-101.dat	upx
behavioral1/memory/1532-102-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1532-105-0x0000000000380000-0x0000000000393000-memory.dmp	upx
behavioral1/files/0x0009000000004ed7-110.dat	upx
behavioral1/memory/1532-111-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/344-112-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe
File created	C:\Windows\{6C424EB8-8688-4e29-8450-789007D6FD34}.exe	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe
File created	C:\Windows\{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe
File created	C:\Windows\{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe
File created	C:\Windows\{C3EB95CE-B2BF-4782-B3FD-67258DD97EFB}.exe	{798C9ECA-1AFF-45b5-BB62-C9DE37DF97AD}.exe
File created	C:\Windows\{61481E6F-6B1E-4999-B85A-FE3D7F0B1BF5}.exe	{59150BE3-A8EC-44c6-BC69-A8F0CBC1A153}.exe
File created	C:\Windows\{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe	55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe
File created	C:\Windows\{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe
File created	C:\Windows\{99C6AF37-7637-4044-B51D-6E01E756D512}.exe	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe
File created	C:\Windows\{798C9ECA-1AFF-45b5-BB62-C9DE37DF97AD}.exe	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe
File created	C:\Windows\{59150BE3-A8EC-44c6-BC69-A8F0CBC1A153}.exe	{C3EB95CE-B2BF-4782-B3FD-67258DD97EFB}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{798C9ECA-1AFF-45b5-BB62-C9DE37DF97AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61481E6F-6B1E-4999-B85A-FE3D7F0B1BF5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{59150BE3-A8EC-44c6-BC69-A8F0CBC1A153}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3EB95CE-B2BF-4782-B3FD-67258DD97EFB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2332	55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe
Token: SeIncBasePriorityPrivilege	2368	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe
Token: SeIncBasePriorityPrivilege	2908	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe
Token: SeIncBasePriorityPrivilege	2284	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe
Token: SeIncBasePriorityPrivilege	2636	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe
Token: SeIncBasePriorityPrivilege	2352	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe
Token: SeIncBasePriorityPrivilege	1180	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe
Token: SeIncBasePriorityPrivilege	1884	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe
Token: SeIncBasePriorityPrivilege	2844	{798C9ECA-1AFF-45b5-BB62-C9DE37DF97AD}.exe
Token: SeIncBasePriorityPrivilege	444	{C3EB95CE-B2BF-4782-B3FD-67258DD97EFB}.exe
Token: SeIncBasePriorityPrivilege	1532	{59150BE3-A8EC-44c6-BC69-A8F0CBC1A153}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2368	2332	55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe	31
PID 2332 wrote to memory of 2368	2332	55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe	31
PID 2332 wrote to memory of 2368	2332	55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe	31
PID 2332 wrote to memory of 2368	2332	55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe	31
PID 2332 wrote to memory of 2188	2332	55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe	32
PID 2332 wrote to memory of 2188	2332	55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe	32
PID 2332 wrote to memory of 2188	2332	55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe	32
PID 2332 wrote to memory of 2188	2332	55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe	32
PID 2368 wrote to memory of 2908	2368	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe	33
PID 2368 wrote to memory of 2908	2368	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe	33
PID 2368 wrote to memory of 2908	2368	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe	33
PID 2368 wrote to memory of 2908	2368	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe	33
PID 2368 wrote to memory of 2756	2368	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe	34
PID 2368 wrote to memory of 2756	2368	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe	34
PID 2368 wrote to memory of 2756	2368	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe	34
PID 2368 wrote to memory of 2756	2368	{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe	34
PID 2908 wrote to memory of 2284	2908	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe	35
PID 2908 wrote to memory of 2284	2908	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe	35
PID 2908 wrote to memory of 2284	2908	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe	35
PID 2908 wrote to memory of 2284	2908	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe	35
PID 2908 wrote to memory of 2392	2908	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe	36
PID 2908 wrote to memory of 2392	2908	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe	36
PID 2908 wrote to memory of 2392	2908	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe	36
PID 2908 wrote to memory of 2392	2908	{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe	36
PID 2284 wrote to memory of 2636	2284	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe	37
PID 2284 wrote to memory of 2636	2284	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe	37
PID 2284 wrote to memory of 2636	2284	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe	37
PID 2284 wrote to memory of 2636	2284	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe	37
PID 2284 wrote to memory of 2216	2284	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe	38
PID 2284 wrote to memory of 2216	2284	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe	38
PID 2284 wrote to memory of 2216	2284	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe	38
PID 2284 wrote to memory of 2216	2284	{6C424EB8-8688-4e29-8450-789007D6FD34}.exe	38
PID 2636 wrote to memory of 2352	2636	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe	39
PID 2636 wrote to memory of 2352	2636	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe	39
PID 2636 wrote to memory of 2352	2636	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe	39
PID 2636 wrote to memory of 2352	2636	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe	39
PID 2636 wrote to memory of 2360	2636	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe	40
PID 2636 wrote to memory of 2360	2636	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe	40
PID 2636 wrote to memory of 2360	2636	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe	40
PID 2636 wrote to memory of 2360	2636	{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe	40
PID 2352 wrote to memory of 1180	2352	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe	41
PID 2352 wrote to memory of 1180	2352	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe	41
PID 2352 wrote to memory of 1180	2352	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe	41
PID 2352 wrote to memory of 1180	2352	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe	41
PID 2352 wrote to memory of 1928	2352	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe	42
PID 2352 wrote to memory of 1928	2352	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe	42
PID 2352 wrote to memory of 1928	2352	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe	42
PID 2352 wrote to memory of 1928	2352	{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe	42
PID 1180 wrote to memory of 1884	1180	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe	43
PID 1180 wrote to memory of 1884	1180	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe	43
PID 1180 wrote to memory of 1884	1180	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe	43
PID 1180 wrote to memory of 1884	1180	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe	43
PID 1180 wrote to memory of 1536	1180	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe	44
PID 1180 wrote to memory of 1536	1180	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe	44
PID 1180 wrote to memory of 1536	1180	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe	44
PID 1180 wrote to memory of 1536	1180	{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe	44
PID 1884 wrote to memory of 2844	1884	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe	45
PID 1884 wrote to memory of 2844	1884	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe	45
PID 1884 wrote to memory of 2844	1884	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe	45
PID 1884 wrote to memory of 2844	1884	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe	45
PID 1884 wrote to memory of 2152	1884	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe	46
PID 1884 wrote to memory of 2152	1884	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe	46
PID 1884 wrote to memory of 2152	1884	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe	46
PID 1884 wrote to memory of 2152	1884	{99C6AF37-7637-4044-B51D-6E01E756D512}.exe	46

C:\Users\Admin\AppData\Local\Temp\55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe
"C:\Users\Admin\AppData\Local\Temp\55878f2ae86d624d47ab9f9d2a17ddd82093d3bc2a71736b3c17e5516cc8092e.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe
  C:\Windows\{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe
    C:\Windows\{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\{6C424EB8-8688-4e29-8450-789007D6FD34}.exe
      C:\Windows\{6C424EB8-8688-4e29-8450-789007D6FD34}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe
        
        C:\Windows\{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe
        
        C:\Windows\{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe
        
        C:\Windows\{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\{99C6AF37-7637-4044-B51D-6E01E756D512}.exe
        
        C:\Windows\{99C6AF37-7637-4044-B51D-6E01E756D512}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\{798C9ECA-1AFF-45b5-BB62-C9DE37DF97AD}.exe
        
        C:\Windows\{798C9ECA-1AFF-45b5-BB62-C9DE37DF97AD}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{C3EB95CE-B2BF-4782-B3FD-67258DD97EFB}.exe
        
        C:\Windows\{C3EB95CE-B2BF-4782-B3FD-67258DD97EFB}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Windows\{59150BE3-A8EC-44c6-BC69-A8F0CBC1A153}.exe
        
        C:\Windows\{59150BE3-A8EC-44c6-BC69-A8F0CBC1A153}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\{61481E6F-6B1E-4999-B85A-FE3D7F0B1BF5}.exe
        
        C:\Windows\{61481E6F-6B1E-4999-B85A-FE3D7F0B1BF5}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59150~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3EB9~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{798C9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99C6A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE3CB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE746~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E4A6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C424~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{97D90~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{31585~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\55878F~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E4A6B85-BA18-48d5-86D6-7FB9EC24AE28}.exe

Filesize
83KB

MD5
360b14b689dae3fb0250a163474c0332

SHA1
309d11fed6d30f75207cc1f8c52e42a60278c8ed

SHA256
9d5628fc296483065905147c1adec88742d433d230f1d73124854b7ea5fe1a72

SHA512
6986bc0ef2defbf7762eab7a29fa4bcb028da29920f0f79b61f305626e7182c5fcb6b31fc26fb4e8d5582c70cd3bbaa7c119a9606926ad6899b1046efccb8a16

Download Submit
C:\Windows\{315853B4-8421-4fb4-BE28-56AA4BA4B7E8}.exe

Filesize
83KB

MD5
f588ebdcf76da939b4c3d83b0ffb522b

SHA1
399d5d7deaaaaa21a765fb0e4753f2aa4a73b1ea

SHA256
16e6de44df445f8668e8c6ea3ffc680c59c237bb628a2fe833513687b3cebf4d

SHA512
65f697c32c80b31be8079881e93516b0246da93be991f2c0f7735b1bd526242115e112978ab3a641df6731bc57ea5d4b20cf8a0a3e363e6c6d5a40b0c58f152e

Download Submit
C:\Windows\{59150BE3-A8EC-44c6-BC69-A8F0CBC1A153}.exe

Filesize
83KB

MD5
65117a9b3bbcbdf147b3670fc9f2a2a4

SHA1
6f93c1df955f33e94133b1a7eaadb66124321d29

SHA256
4aaeffdfe8b55dd5b1003fa79a609df652dae1958df0d4b4d1c186bdf59e9339

SHA512
abebbf24b2c66b962f3c85e12d479b7dbee30e98797a3b89bb819e0f2b3672df745b4eda3661c026b6e7f3a229d263d82936e6a2c47a5afe987d439d9496d317

Download Submit
C:\Windows\{61481E6F-6B1E-4999-B85A-FE3D7F0B1BF5}.exe

Filesize
83KB

MD5
24734952309d7d46a5fc6beb938431e3

SHA1
407f51f4e1f20f6330caef2f8254e99c73abdeb3

SHA256
23832a9f3ce0190f45c756915528534f7d9daad06afcfadb8b1b9e60516238cd

SHA512
867b0f7def2b84272b8c4006e42c3d57fa6d9cc81949ae6a2a6f7f3e054efb9dce87b1cbd7d639650ac2e21f2292221bc31d23ab07419943301a621e1fdc1858

Download Submit
C:\Windows\{6C424EB8-8688-4e29-8450-789007D6FD34}.exe

Filesize
83KB

MD5
a8bdb89f0a704e3cb91f4646e18db1bf

SHA1
6a65462a1a0644cd0337e32fbf97d8d62e9a640b

SHA256
2e4de23047881931fbd333ab8b7d055abb5c4374a07b09423a02debd58bb8bc1

SHA512
edb19c11b9c9eddc3a7b5ec9b06f7c9ef383263e85a08d35fa149f503e31013242e623d92ce9de02ebb573bdff1dfe40abb94bbc6efc5ce00ca2faedde79fa6b

Download Submit
C:\Windows\{798C9ECA-1AFF-45b5-BB62-C9DE37DF97AD}.exe

Filesize
83KB

MD5
fc366e26780bbc2bace875182faac121

SHA1
9ea5424e0ce3f5d299b992b69bf423dfad7765a1

SHA256
3c03a91cf7183e0a68462c1d0144f248bf7f77df97e3d10a6e4f47e56c56d7ef

SHA512
b7c74ee434e3753d7b1ef2a2ad14c1a7aa8fc6ea4058a937bb827811a500c13aed40a5d57a1a2ab22a50d4c3800d7a336c658af1523268386e6b7f3c044fdf2d

Download Submit
C:\Windows\{97D90738-7D5B-4642-8CFA-82C1754BBCE5}.exe

Filesize
83KB

MD5
c108a449be7e2a43f96c29d3cfaa545d

SHA1
ecc92525ab6849896d99af2e7269306f1525c3eb

SHA256
bb9ce3ede95c67194178a3f34e88bd46fb835e4df9ab06895b1b240e5783a8c7

SHA512
8a1c7805124173db408c49c020338bcee7c04b4c283d163f91f4b94835cb23102d34eb1013b483fb2e0975523d66d116ff13a6ae0d4a2291412009f01ee0db28

Download Submit
C:\Windows\{99C6AF37-7637-4044-B51D-6E01E756D512}.exe

Filesize
83KB

MD5
0a4dc371c36f0d92de0a76afb00b071a

SHA1
b8f44bd5f7c28f75958e3446dfd5701efd5c7afb

SHA256
aa9c484c94ccfb4a065955cb3dc795a7bc397eee3c9efab2b9accc7062b00a84

SHA512
0b0d0079b93eb774f38598db79de98cd6e1689c8f640ce5fd21ccd5cd54ac6330db0c60385478d671575df2b69e4e4560730b9320f07a2cd258ff7cade9e1e75

Download Submit
C:\Windows\{AE3CB59C-5AA7-46dd-BE0A-55EAD500E037}.exe

Filesize
83KB

MD5
f9fa8a2176841b897207569ccad3b812

SHA1
364c0e01b6d5f49f2926e3a6836ba36b76280ab0

SHA256
57a5c745b386cd22ec32fdff1a75ab045e8900b1ce6507641c5fb9ab59784f0d

SHA512
47e7bd475ebe056b46a5d7f0d14461b0aae6e3d7d48c2a3a41f97e416510969fc2e2b22a6f7a50e6ccb2a5ad7cf9c75bc2dbc151d18d6cdd95d6fe90088c5dc5

Download Submit
C:\Windows\{C3EB95CE-B2BF-4782-B3FD-67258DD97EFB}.exe

Filesize
83KB

MD5
7d51fbf6eaaed73da4dbe280e24479e0

SHA1
9a8974e7d6b7ac81cd79b93bdbf18d2deb74a9e2

SHA256
98fb191a4d5fd60f65039fc14e61a424d134e03640bde9059f6b9998ee2a4e1a

SHA512
0d10a219198a4a0fb323a9d2aa1389f0a7cd74191af5fe34c8ff622c9ef6976429ec049cedc57f842b77b1e7bc784faeb3528e59d4fc8d9f9471f6bf43661e4e

Download Submit
C:\Windows\{CE7461A9-C563-46d9-876A-A5C6B8F355FB}.exe

Filesize
83KB

MD5
e0edd5bac9f238b2601035eb980d9058

SHA1
f4d7c24ea67507f8170ebc91f71bb38c72431ef7

SHA256
b71fd04ce9fbabd4503cf56c9bb14278e8a0ee859dbabc9f6b7a2ab6ed998177

SHA512
27503178acb0b43cdc97c02a6654587accadc60a83d5200fac40109eb101550d0aeff826c8da0d5e68f476b18681e727ce680a3c91eb9c775d3205119e55a5b8

Download Submit
memory/344-112-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/444-95-0x00000000004B0000-0x00000000004C3000-memory.dmp

Filesize
76KB

Download
memory/444-92-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/444-100-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1180-69-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1180-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1532-111-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1532-105-0x0000000000380000-0x0000000000393000-memory.dmp

Filesize
76KB

Download
memory/1532-102-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1884-72-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1884-76-0x0000000000390000-0x00000000003A3000-memory.dmp

Filesize
76KB

Download
memory/1884-80-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1884-71-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2284-40-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2284-38-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/2284-34-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/2284-30-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2332-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2332-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2332-3-0x00000000004B0000-0x00000000004C3000-memory.dmp

Filesize
76KB

Download
memory/2332-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2352-61-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2352-59-0x00000000002F0000-0x0000000000303000-memory.dmp

Filesize
76KB

Download
memory/2352-55-0x00000000002F0000-0x0000000000303000-memory.dmp

Filesize
76KB

Download
memory/2352-51-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2352-50-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2368-14-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/2368-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2368-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2636-41-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2636-48-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2844-85-0x0000000000320000-0x0000000000333000-memory.dmp

Filesize
76KB

Download
memory/2844-91-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2844-82-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2908-28-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2908-24-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/2908-20-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads