36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012

Analysis

max time kernel
118s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012N.exe
Size

1.8MB
MD5

e37265808eb0f82136350a3d7ada4720
SHA1

8a0b39bb8bdd561a4dd6dca8a8c13a148beb4071
SHA256

36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012
SHA512

63349036c253293f778fd73e8bbfe5e1b1782624651d6c827ecec8494fff5bc13febec98df784a1ffdec0a3c052504661d6ad72793ced8ee40721926f41b8e06
SSDEEP

49152:RNMqQ0kwonLVkZep9nWrPWwONrRoODiGgDWAg2CPaSAnYvJW3BTSXff6YNQVWIPd:RiqQ0kwonLVkZep9nWrPWwONrRoODiG8

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012N.exe

Executes dropped EXE 3 IoCs

pid	Process
4072	Firefox.exe
3636	Firefox.exe
4860	Firefox.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater 3 = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4072 set thread context of 3636	4072	Firefox.exe	92
PID 4072 set thread context of 4860	4072	Firefox.exe	93

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3636-31-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/3636-34-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/3636-36-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4860-44-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4860-40-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4860-46-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3636-51-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/3636-52-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4860-53-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3636-56-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/3636-59-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/3636-61-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/3636-77-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1620	reg.exe
1900	reg.exe
736	reg.exe
996	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	3636	Firefox.exe
Token: SeCreateTokenPrivilege	3636	Firefox.exe
Token: SeAssignPrimaryTokenPrivilege	3636	Firefox.exe
Token: SeLockMemoryPrivilege	3636	Firefox.exe
Token: SeIncreaseQuotaPrivilege	3636	Firefox.exe
Token: SeMachineAccountPrivilege	3636	Firefox.exe
Token: SeTcbPrivilege	3636	Firefox.exe
Token: SeSecurityPrivilege	3636	Firefox.exe
Token: SeTakeOwnershipPrivilege	3636	Firefox.exe
Token: SeLoadDriverPrivilege	3636	Firefox.exe
Token: SeSystemProfilePrivilege	3636	Firefox.exe
Token: SeSystemtimePrivilege	3636	Firefox.exe
Token: SeProfSingleProcessPrivilege	3636	Firefox.exe
Token: SeIncBasePriorityPrivilege	3636	Firefox.exe
Token: SeCreatePagefilePrivilege	3636	Firefox.exe
Token: SeCreatePermanentPrivilege	3636	Firefox.exe
Token: SeBackupPrivilege	3636	Firefox.exe
Token: SeRestorePrivilege	3636	Firefox.exe
Token: SeShutdownPrivilege	3636	Firefox.exe
Token: SeDebugPrivilege	3636	Firefox.exe
Token: SeAuditPrivilege	3636	Firefox.exe
Token: SeSystemEnvironmentPrivilege	3636	Firefox.exe
Token: SeChangeNotifyPrivilege	3636	Firefox.exe
Token: SeRemoteShutdownPrivilege	3636	Firefox.exe
Token: SeUndockPrivilege	3636	Firefox.exe
Token: SeSyncAgentPrivilege	3636	Firefox.exe
Token: SeEnableDelegationPrivilege	3636	Firefox.exe
Token: SeManageVolumePrivilege	3636	Firefox.exe
Token: SeImpersonatePrivilege	3636	Firefox.exe
Token: SeCreateGlobalPrivilege	3636	Firefox.exe
Token: 31	3636	Firefox.exe
Token: 32	3636	Firefox.exe
Token: 33	3636	Firefox.exe
Token: 34	3636	Firefox.exe
Token: 35	3636	Firefox.exe
Token: SeDebugPrivilege	4860	Firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3644	36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012N.exe
4072	Firefox.exe
3636	Firefox.exe
3636	Firefox.exe
4860	Firefox.exe
3636	Firefox.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 2520	3644	36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012N.exe	86
PID 3644 wrote to memory of 2520	3644	36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012N.exe	86
PID 3644 wrote to memory of 2520	3644	36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012N.exe	86
PID 2520 wrote to memory of 2332	2520	cmd.exe	90
PID 2520 wrote to memory of 2332	2520	cmd.exe	90
PID 2520 wrote to memory of 2332	2520	cmd.exe	90
PID 3644 wrote to memory of 4072	3644	36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012N.exe	91
PID 3644 wrote to memory of 4072	3644	36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012N.exe	91
PID 3644 wrote to memory of 4072	3644	36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012N.exe	91
PID 4072 wrote to memory of 3636	4072	Firefox.exe	92
PID 4072 wrote to memory of 3636	4072	Firefox.exe	92
PID 4072 wrote to memory of 3636	4072	Firefox.exe	92
PID 4072 wrote to memory of 3636	4072	Firefox.exe	92
PID 4072 wrote to memory of 3636	4072	Firefox.exe	92
PID 4072 wrote to memory of 3636	4072	Firefox.exe	92
PID 4072 wrote to memory of 3636	4072	Firefox.exe	92
PID 4072 wrote to memory of 3636	4072	Firefox.exe	92
PID 4072 wrote to memory of 4860	4072	Firefox.exe	93
PID 4072 wrote to memory of 4860	4072	Firefox.exe	93
PID 4072 wrote to memory of 4860	4072	Firefox.exe	93
PID 4072 wrote to memory of 4860	4072	Firefox.exe	93
PID 4072 wrote to memory of 4860	4072	Firefox.exe	93
PID 4072 wrote to memory of 4860	4072	Firefox.exe	93
PID 4072 wrote to memory of 4860	4072	Firefox.exe	93
PID 4072 wrote to memory of 4860	4072	Firefox.exe	93
PID 3636 wrote to memory of 1464	3636	Firefox.exe	94
PID 3636 wrote to memory of 1464	3636	Firefox.exe	94
PID 3636 wrote to memory of 1464	3636	Firefox.exe	94
PID 3636 wrote to memory of 2740	3636	Firefox.exe	95
PID 3636 wrote to memory of 2740	3636	Firefox.exe	95
PID 3636 wrote to memory of 2740	3636	Firefox.exe	95
PID 3636 wrote to memory of 2240	3636	Firefox.exe	96
PID 3636 wrote to memory of 2240	3636	Firefox.exe	96
PID 3636 wrote to memory of 2240	3636	Firefox.exe	96
PID 3636 wrote to memory of 1424	3636	Firefox.exe	97
PID 3636 wrote to memory of 1424	3636	Firefox.exe	97
PID 3636 wrote to memory of 1424	3636	Firefox.exe	97
PID 1464 wrote to memory of 1620	1464	cmd.exe	102
PID 1464 wrote to memory of 1620	1464	cmd.exe	102
PID 1464 wrote to memory of 1620	1464	cmd.exe	102
PID 2740 wrote to memory of 1900	2740	cmd.exe	103
PID 2740 wrote to memory of 1900	2740	cmd.exe	103
PID 2740 wrote to memory of 1900	2740	cmd.exe	103
PID 2240 wrote to memory of 736	2240	cmd.exe	104
PID 2240 wrote to memory of 736	2240	cmd.exe	104
PID 2240 wrote to memory of 736	2240	cmd.exe	104
PID 1424 wrote to memory of 996	1424	cmd.exe	105
PID 1424 wrote to memory of 996	1424	cmd.exe	105
PID 1424 wrote to memory of 996	1424	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012N.exe
"C:\Users\Admin\AppData\Local\Temp\36d7b026a36c528a2b77f5bd1e3089981239d092fd7c4e745cdbd63634ae4012N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuxZD.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Updater 3" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2332
- C:\Users\Admin\AppData\Roaming\Firefox.exe
  "C:\Users\Admin\AppData\Roaming\Firefox.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Users\Admin\AppData\Roaming\Firefox.exe
    C:\Users\Admin\AppData\Roaming\Firefox.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:996
- - C:\Users\Admin\AppData\Roaming\Firefox.exe
    C:\Users\Admin\AppData\Roaming\Firefox.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VuxZD.txt

Filesize
143B

MD5
962bc493b87f298696ad6e3eed7c7937

SHA1
985cc0c7e37e2465c4349abd528e120663ebd205

SHA256
c167e2faa5307ac291ff833b8a1f5f802eaa028d1aba8d1ad342ca84c07bdb01

SHA512
9dd2b755a404b74206b713ab17d2ddedacc48910e942dab71cf7e98d8d25322c24e32648f0881136e5425134aaccfbfd9bdc52ceb4519bd07e97c5564116f173

Download Submit
C:\Users\Admin\AppData\Roaming\Firefox.txt

Filesize
1.8MB

MD5
3c35b8d86501f56f7dd0f835d9e917c4

SHA1
096515b16719f4b362ee3f18f98dcf89df37ada4

SHA256
bbf59a6ef6d7a3067ebc0bba529886cb580019b381a9b089236818c4a5b1e083

SHA512
7d3e59e3f427752164c3f39520f728ef2902cfda9a5a951ad6b01a4371a473da77614e5171b5240d4b9386bdcb1a3f674c6ba62186b3865f44d681cd0c7b2a71

Download Submit
memory/3636-56-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3636-31-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3636-34-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3636-36-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3636-77-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3636-61-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3636-59-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3636-51-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3636-52-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3644-0-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4860-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4860-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4860-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4860-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads