256fb74261454862a7d60629f94cfd17111a2e94d25abd68046be2b4ed4d9b87

General

Target

deed contract_11.19.2020.doc
Size

104KB
MD5

ab684a20573095e717d981ecf1aa3628
SHA1

03e64be4b32f995c92d9a520e577af69ee74ac73
SHA256

256fb74261454862a7d60629f94cfd17111a2e94d25abd68046be2b4ed4d9b87
SHA512

b2aa52ad891f18ff76ddb3ba89518a1f599003d044b3e2e3525a605e467b81840286cef764c3caae128f44bfe14e2f28520d303a302076dc77b02cb147a89549

Score

8^/10

Malware Config

Signatures

Blacklisted process makes network request 70 IoCs

Processes:

rundll32.exe

flow	pid	process
9	680	rundll32.exe
11	680	rundll32.exe
13	680	rundll32.exe
15	680	rundll32.exe
17	680	rundll32.exe
20	680	rundll32.exe
22	680	rundll32.exe
23	680	rundll32.exe
24	680	rundll32.exe
25	680	rundll32.exe
26	680	rundll32.exe
27	680	rundll32.exe
28	680	rundll32.exe
29	680	rundll32.exe
30	680	rundll32.exe
31	680	rundll32.exe
32	680	rundll32.exe
33	680	rundll32.exe
34	680	rundll32.exe
35	680	rundll32.exe
36	680	rundll32.exe
37	680	rundll32.exe
38	680	rundll32.exe
39	680	rundll32.exe
40	680	rundll32.exe
41	680	rundll32.exe
42	680	rundll32.exe
43	680	rundll32.exe
44	680	rundll32.exe
45	680	rundll32.exe
46	680	rundll32.exe
47	680	rundll32.exe
48	680	rundll32.exe
49	680	rundll32.exe
50	680	rundll32.exe
51	680	rundll32.exe
52	680	rundll32.exe
53	680	rundll32.exe
54	680	rundll32.exe
55	680	rundll32.exe
57	680	rundll32.exe
58	680	rundll32.exe
59	680	rundll32.exe
60	680	rundll32.exe
62	680	rundll32.exe
63	680	rundll32.exe
64	680	rundll32.exe
65	680	rundll32.exe
66	680	rundll32.exe
67	680	rundll32.exe
68	680	rundll32.exe
69	680	rundll32.exe
70	680	rundll32.exe
71	680	rundll32.exe
72	680	rundll32.exe
74	680	rundll32.exe
76	680	rundll32.exe
77	680	rundll32.exe
78	680	rundll32.exe
79	680	rundll32.exe
80	680	rundll32.exe
81	680	rundll32.exe
82	680	rundll32.exe
83	680	rundll32.exe

Executes dropped EXE 1 IoCs

Processes:

in.com

pid process

1152 in.com
Loads dropped DLL 3 IoCs

Processes:

WINWORD.EXErundll32.exe

pid process

1040 WINWORD.EXE
1040 WINWORD.EXE
680 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
1152	in.com

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEin.com

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	in.com
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1040 WINWORD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WINWORD.EXE

pid process

1040 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeShutdownPrivilege 1040 WINWORD.EXE

description	pid	process
Token: SeShutdownPrivilege	1040	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE
1040	WINWORD.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WINWORD.EXEin.com

description	pid	process	target process
PID 1040 wrote to memory of 1152	1040	WINWORD.EXE	in.com
PID 1040 wrote to memory of 1152	1040	WINWORD.EXE	in.com
PID 1040 wrote to memory of 1152	1040	WINWORD.EXE	in.com
PID 1040 wrote to memory of 1152	1040	WINWORD.EXE	in.com
PID 1040 wrote to memory of 1800	1040	WINWORD.EXE	splwow64.exe
PID 1040 wrote to memory of 1800	1040	WINWORD.EXE	splwow64.exe
PID 1040 wrote to memory of 1800	1040	WINWORD.EXE	splwow64.exe
PID 1040 wrote to memory of 1800	1040	WINWORD.EXE	splwow64.exe
PID 1152 wrote to memory of 680	1152	in.com	rundll32.exe
PID 1152 wrote to memory of 680	1152	in.com	rundll32.exe
PID 1152 wrote to memory of 680	1152	in.com	rundll32.exe
PID 1152 wrote to memory of 680	1152	in.com	rundll32.exe
PID 1152 wrote to memory of 680	1152	in.com	rundll32.exe
PID 1152 wrote to memory of 680	1152	in.com	rundll32.exe
PID 1152 wrote to memory of 680	1152	in.com	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\deed contract_11.19.2020.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\in.com
"C:\Users\Admin\AppData\Local\Temp\in.com" C:\Users\Admin\AppData\Local\Temp\in.html
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\temp.tmp,ShowDialogA -r
3⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
PID:680

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\in.com
MD5
abdfc692d9fe43e2ba8fe6cb5a8cb95a

SHA1
d4f0397f83083e1c6fb0894187cc72aebcf2f34f

SHA256
949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820

SHA512
c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\in.com
MD5
abdfc692d9fe43e2ba8fe6cb5a8cb95a

SHA1
d4f0397f83083e1c6fb0894187cc72aebcf2f34f

SHA256
949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820

SHA512
c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\in.html
MD5
5897a9ec9e6d33494599a6f48c5ab622

SHA1
1451ccf5e1d28c08430b3a4bb15ee57e9d35bf6b

SHA256
3d9f00f9355fb518d2104bf07c5b8068a98ee357bacea2c4610cab34b55be9e5

SHA512
6693b49c6666c59bcc79aacedc95186c34c9b7890fa2a7115bd29c1d10f97c7912bdf78b05b1b5db838693da14ebb23c0f04008ae5e79d3563c6aa1db97514e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.tmp
MD5
1296a2f1297fc4f50c7272f25a30539c

SHA1
3232cc880600c2afd3fc6e3f88e10b0eb7d47e13

SHA256
a693a20855c3b8971ddd112a73664c2d895149ed7b9b7e0a30c35f44fed65601

SHA512
3285e5976b772389da7391ee0ee8075ebe46aa5686a34b02c32e28f0e4697d963274c97bb4d6caeaec60625ced0c2aa702ec1f762ee2fa47fc0e5374f7f86219

Download Submit
\Users\Admin\AppData\Local\Temp\in.com
MD5
abdfc692d9fe43e2ba8fe6cb5a8cb95a

SHA1
d4f0397f83083e1c6fb0894187cc72aebcf2f34f

SHA256
949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820

SHA512
c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f

Download Submit
\Users\Admin\AppData\Local\Temp\in.com
MD5
abdfc692d9fe43e2ba8fe6cb5a8cb95a

SHA1
d4f0397f83083e1c6fb0894187cc72aebcf2f34f

SHA256
949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820

SHA512
c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f

Download Submit
\Users\Admin\AppData\Local\Temp\temp.tmp
MD5
1296a2f1297fc4f50c7272f25a30539c

SHA1
3232cc880600c2afd3fc6e3f88e10b0eb7d47e13

SHA256
a693a20855c3b8971ddd112a73664c2d895149ed7b9b7e0a30c35f44fed65601

SHA512
3285e5976b772389da7391ee0ee8075ebe46aa5686a34b02c32e28f0e4697d963274c97bb4d6caeaec60625ced0c2aa702ec1f762ee2fa47fc0e5374f7f86219

Download Submit
memory/680-12-0x0000000000000000-mapping.dmp

Download
memory/1040-3-0x00000000003C7000-0x00000000003CB000-memory.dmp

Filesize
16KB

Download
memory/1040-0-0x0000000004D7D000-0x0000000004D82000-memory.dmp

Filesize
20KB

Download
memory/1040-2-0x00000000003C7000-0x00000000003CB000-memory.dmp

Filesize
16KB

Download
memory/1040-1-0x0000000000427000-0x000000000042A000-memory.dmp

Filesize
12KB

Download
memory/1040-17-0x0000000007F90000-0x0000000007F94000-memory.dmp

Filesize
16KB

Download
memory/1040-18-0x0000000007F90000-0x0000000007F94000-memory.dmp

Filesize
16KB

Download
memory/1040-19-0x0000000007B90000-0x0000000007B94000-memory.dmp

Filesize
16KB

Download
memory/1152-6-0x0000000000000000-mapping.dmp

Download
memory/1664-10-0x000007FEF7880000-0x000007FEF7AFA000-memory.dmp

Filesize
2.5MB

Download
memory/1800-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads