gozi_rm3 | afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984

General

Target

afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984.dll
Size

449KB
MD5

caec766872f0fc3c7e4af0bf1e5cc939
SHA1

dfb603663f5de381eafb617dccf51a2c30f34a4d
SHA256

afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984
SHA512

aa22e020c44220258aabf0950de87846860c4a7bea1a6e9c50f2a7fa6ca537952398b2322acab8a24c75424cabc1466cf00714d884db4f2252bf60b586e0ecf1

Score

10^/10

gozi_rm3 210301 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

210301

C2

https://gotoregt.space

Attributes

build
300960
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

12 2020 rundll32.exe
35 2020 rundll32.exe
76 2020 rundll32.exe
87 2020 rundll32.exe
100 2020 rundll32.exe

flow	pid	process
12	2020	rundll32.exe
35	2020	rundll32.exe
76	2020	rundll32.exe
87	2020	rundll32.exe
100	2020	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8CD0E311-8D8B-11EB-A309-520DDC0DB10A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid	process
708	iexplore.exe
1640	iexplore.exe
480	iexplore.exe
936	iexplore.exe
940	iexplore.exe
1976	iexplore.exe
432	iexplore.exe
968	iexplore.exe
1992	iexplore.exe
1804	iexplore.exe
1168	iexplore.exe
1472	iexplore.exe
848	iexplore.exe
1940	iexplore.exe
1976	iexplore.exe
1532	iexplore.exe
596	iexplore.exe
568	iexplore.exe
436	iexplore.exe
1832	iexplore.exe
536	iexplore.exe
1528	iexplore.exe
632	iexplore.exe
2028	iexplore.exe
544	iexplore.exe
1972	iexplore.exe
848	iexplore.exe
1292	iexplore.exe
980	iexplore.exe
764	iexplore.exe
888	iexplore.exe
1468	iexplore.exe
1380	iexplore.exe
1740	iexplore.exe
1404	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
708	iexplore.exe
708	iexplore.exe
1104	IEXPLORE.EXE
1104	IEXPLORE.EXE
1640	iexplore.exe
1640	iexplore.exe
972	IEXPLORE.EXE
972	IEXPLORE.EXE
480	iexplore.exe
480	iexplore.exe
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
936	iexplore.exe
936	iexplore.exe
1204	IEXPLORE.EXE
1204	IEXPLORE.EXE
940	iexplore.exe
940	iexplore.exe
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE
1976	iexplore.exe
1976	iexplore.exe
1484	IEXPLORE.EXE
1484	IEXPLORE.EXE
432	iexplore.exe
432	iexplore.exe
644	IEXPLORE.EXE
644	IEXPLORE.EXE
968	iexplore.exe
968	iexplore.exe
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1992	iexplore.exe
1992	iexplore.exe
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
1804	iexplore.exe
1804	iexplore.exe
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE
1168	iexplore.exe
1168	iexplore.exe
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1472	iexplore.exe
1472	iexplore.exe
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
848	iexplore.exe
848	iexplore.exe
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
1940	iexplore.exe
1940	iexplore.exe
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE
1976	iexplore.exe
1976	iexplore.exe
616	IEXPLORE.EXE
616	IEXPLORE.EXE
1532	iexplore.exe
1532	iexplore.exe
268	IEXPLORE.EXE
268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 792 wrote to memory of 2020	792	rundll32.exe	rundll32.exe
PID 792 wrote to memory of 2020	792	rundll32.exe	rundll32.exe
PID 792 wrote to memory of 2020	792	rundll32.exe	rundll32.exe
PID 792 wrote to memory of 2020	792	rundll32.exe	rundll32.exe
PID 792 wrote to memory of 2020	792	rundll32.exe	rundll32.exe
PID 792 wrote to memory of 2020	792	rundll32.exe	rundll32.exe
PID 792 wrote to memory of 2020	792	rundll32.exe	rundll32.exe
PID 708 wrote to memory of 1104	708	iexplore.exe	IEXPLORE.EXE
PID 708 wrote to memory of 1104	708	iexplore.exe	IEXPLORE.EXE
PID 708 wrote to memory of 1104	708	iexplore.exe	IEXPLORE.EXE
PID 708 wrote to memory of 1104	708	iexplore.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 972	1640	iexplore.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 972	1640	iexplore.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 972	1640	iexplore.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 972	1640	iexplore.exe	IEXPLORE.EXE
PID 480 wrote to memory of 1092	480	iexplore.exe	IEXPLORE.EXE
PID 480 wrote to memory of 1092	480	iexplore.exe	IEXPLORE.EXE
PID 480 wrote to memory of 1092	480	iexplore.exe	IEXPLORE.EXE
PID 480 wrote to memory of 1092	480	iexplore.exe	IEXPLORE.EXE
PID 936 wrote to memory of 1204	936	iexplore.exe	IEXPLORE.EXE
PID 936 wrote to memory of 1204	936	iexplore.exe	IEXPLORE.EXE
PID 936 wrote to memory of 1204	936	iexplore.exe	IEXPLORE.EXE
PID 936 wrote to memory of 1204	936	iexplore.exe	IEXPLORE.EXE
PID 940 wrote to memory of 1604	940	iexplore.exe	IEXPLORE.EXE
PID 940 wrote to memory of 1604	940	iexplore.exe	IEXPLORE.EXE
PID 940 wrote to memory of 1604	940	iexplore.exe	IEXPLORE.EXE
PID 940 wrote to memory of 1604	940	iexplore.exe	IEXPLORE.EXE
PID 1976 wrote to memory of 1484	1976	iexplore.exe	IEXPLORE.EXE
PID 1976 wrote to memory of 1484	1976	iexplore.exe	IEXPLORE.EXE
PID 1976 wrote to memory of 1484	1976	iexplore.exe	IEXPLORE.EXE
PID 1976 wrote to memory of 1484	1976	iexplore.exe	IEXPLORE.EXE
PID 432 wrote to memory of 644	432	iexplore.exe	IEXPLORE.EXE
PID 432 wrote to memory of 644	432	iexplore.exe	IEXPLORE.EXE
PID 432 wrote to memory of 644	432	iexplore.exe	IEXPLORE.EXE
PID 432 wrote to memory of 644	432	iexplore.exe	IEXPLORE.EXE
PID 968 wrote to memory of 1348	968	iexplore.exe	IEXPLORE.EXE
PID 968 wrote to memory of 1348	968	iexplore.exe	IEXPLORE.EXE
PID 968 wrote to memory of 1348	968	iexplore.exe	IEXPLORE.EXE
PID 968 wrote to memory of 1348	968	iexplore.exe	IEXPLORE.EXE
PID 1992 wrote to memory of 1808	1992	iexplore.exe	IEXPLORE.EXE
PID 1992 wrote to memory of 1808	1992	iexplore.exe	IEXPLORE.EXE
PID 1992 wrote to memory of 1808	1992	iexplore.exe	IEXPLORE.EXE
PID 1992 wrote to memory of 1808	1992	iexplore.exe	IEXPLORE.EXE
PID 1804 wrote to memory of 1956	1804	iexplore.exe	IEXPLORE.EXE
PID 1804 wrote to memory of 1956	1804	iexplore.exe	IEXPLORE.EXE
PID 1804 wrote to memory of 1956	1804	iexplore.exe	IEXPLORE.EXE
PID 1804 wrote to memory of 1956	1804	iexplore.exe	IEXPLORE.EXE
PID 1168 wrote to memory of 1480	1168	iexplore.exe	IEXPLORE.EXE
PID 1168 wrote to memory of 1480	1168	iexplore.exe	IEXPLORE.EXE
PID 1168 wrote to memory of 1480	1168	iexplore.exe	IEXPLORE.EXE
PID 1168 wrote to memory of 1480	1168	iexplore.exe	IEXPLORE.EXE
PID 1472 wrote to memory of 1120	1472	iexplore.exe	IEXPLORE.EXE
PID 1472 wrote to memory of 1120	1472	iexplore.exe	IEXPLORE.EXE
PID 1472 wrote to memory of 1120	1472	iexplore.exe	IEXPLORE.EXE
PID 1472 wrote to memory of 1120	1472	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 1564	848	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 1564	848	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 1564	848	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 1564	848	iexplore.exe	IEXPLORE.EXE
PID 1940 wrote to memory of 1912	1940	iexplore.exe	IEXPLORE.EXE
PID 1940 wrote to memory of 1912	1940	iexplore.exe	IEXPLORE.EXE
PID 1940 wrote to memory of 1912	1940	iexplore.exe	IEXPLORE.EXE
PID 1940 wrote to memory of 1912	1940	iexplore.exe	IEXPLORE.EXE
PID 1976 wrote to memory of 616	1976	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:2020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:708
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:708 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1104

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:480
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:480 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:936 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:940 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1484

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:432 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:968 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1348

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1804 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1168 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1472 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1120

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1940 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1532
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:596 CREDAT:275457 /prefetch:2
  2⤵
  PID:520

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
PID:568
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:568 CREDAT:275457 /prefetch:2
  2⤵
  PID:1560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:436
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:436 CREDAT:275457 /prefetch:2
  2⤵
  PID:1720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1832
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:275457 /prefetch:2
  2⤵
  PID:512

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:536
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:275457 /prefetch:2
  2⤵
  PID:480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1528
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:275457 /prefetch:2
  2⤵
  PID:988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
PID:632
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:632 CREDAT:275457 /prefetch:2
  2⤵
  PID:564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:2028
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
  2⤵
  PID:1672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:544
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:544 CREDAT:275457 /prefetch:2
  2⤵
  PID:1504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1972
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:2
  2⤵
  PID:984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:848
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1292
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1292 CREDAT:275457 /prefetch:2
  2⤵
  PID:432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:980
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:980 CREDAT:275457 /prefetch:2
  2⤵
  PID:1028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
PID:764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:275457 /prefetch:2
  2⤵
  PID:1984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:888
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:275457 /prefetch:2
  2⤵
  PID:872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1468
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1468 CREDAT:275457 /prefetch:2
  2⤵
  PID:1100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1380
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1380 CREDAT:275457 /prefetch:2
  2⤵
  PID:1192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1740
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2
  2⤵
  PID:1820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1404
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1404 CREDAT:275457 /prefetch:2
  2⤵
  PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4

MD5
50d07e64e3238da3764e519781a4c457

SHA1
df7812d8516572253185a1a09440450a7719ec1d

SHA256
2d6e623cbde0b5632db298f854119721d4974159da4125481674bfb41c61688e

SHA512
7628988e2822282b47c3796238bd87aac5b73e596fa4b5bfa57746890bc2cddc0e0fb445ddc27b1431c029bcd5d1787f64adb7f777583e7d097a8095832ceb48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4

MD5
8ae9f48509f7d15eb90c8a08500507a7

SHA1
23cae8ecfa9b17ee3c476f7e4dbd0a79eaaaf203

SHA256
c1f67aeaa957866284b905926ca4fff80fac5b0160edd0061d89130acfb30b36

SHA512
71643210a55929f85d0bf6045abc6dcb3eb78c3ce787ebd1fb5fb12a2cabc6c208b01007de903b044b03cbf2632e1a8a40b6e6782bd4158f6040d742ab7f565b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
71d934ed4717291d9bc05d5780db4f69

SHA1
cc802ec8a9ac3eb215226dd06de8f36635813969

SHA256
1a746458cb33006feead0df0d5aea18033f1b214cab1675bbf74841d6ecbdc1b

SHA512
68fd197f4cbcdc541eacccd455808f2768add697b9d251b7b705e5039632b9f51c29f4f1ad2d8a21440d2dc0992d061e5de1fd524107c73a0e30c20289ff44d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5
25c8a3b418f612e9f53703f83eb77b89

SHA1
bda8a9d5deaaf3e42dd593f0c232969a684a349e

SHA256
73478ebea61e18030652f1208a5bea1518656e9d2a8d3f289c74bf87c15395e2

SHA512
3fad06e417e592214c5b2d6fda22f345206d2be3e187aa7270609ae1b05808b1b488771a23701e7f9331b75eeae3716bd03aacc8d2c122431c3cb391b9cf30fd

Download Submit
memory/268-41-0x0000000000000000-mapping.dmp

Download
memory/432-64-0x0000000000000000-mapping.dmp

Download
memory/432-27-0x0000000001FC0000-0x0000000001FD0000-memory.dmp

Filesize
64KB

Download
memory/480-51-0x0000000000000000-mapping.dmp

Download
memory/512-49-0x0000000000000000-mapping.dmp

Download
memory/520-43-0x0000000000000000-mapping.dmp

Download
memory/564-55-0x0000000000000000-mapping.dmp

Download
memory/616-39-0x0000000000000000-mapping.dmp

Download
memory/644-28-0x0000000000000000-mapping.dmp

Download
memory/708-7-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/872-70-0x0000000000000000-mapping.dmp

Download
memory/936-61-0x0000000000000000-mapping.dmp

Download
memory/972-12-0x0000000000000000-mapping.dmp

Download
memory/984-60-0x0000000000000000-mapping.dmp

Download
memory/988-53-0x0000000000000000-mapping.dmp

Download
memory/1028-65-0x0000000000000000-mapping.dmp

Download
memory/1092-17-0x0000000000000000-mapping.dmp

Download
memory/1100-72-0x0000000000000000-mapping.dmp

Download
memory/1104-9-0x0000000000000000-mapping.dmp

Download
memory/1120-36-0x0000000000000000-mapping.dmp

Download
memory/1192-74-0x0000000000000000-mapping.dmp

Download
memory/1204-21-0x0000000000000000-mapping.dmp

Download
memory/1316-77-0x0000000000000000-mapping.dmp

Download
memory/1348-30-0x0000000000000000-mapping.dmp

Download
memory/1480-35-0x0000000000000000-mapping.dmp

Download
memory/1484-25-0x0000000000000000-mapping.dmp

Download
memory/1504-58-0x0000000000000000-mapping.dmp

Download
memory/1560-46-0x0000000000000000-mapping.dmp

Download
memory/1564-37-0x0000000000000000-mapping.dmp

Download
memory/1604-22-0x0000000000000000-mapping.dmp

Download
memory/1672-56-0x0000000000000000-mapping.dmp

Download
memory/1700-8-0x000007FEF7EB0000-0x000007FEF812A000-memory.dmp

Filesize
2.5MB

Download
memory/1720-48-0x0000000000000000-mapping.dmp

Download
memory/1808-31-0x0000000000000000-mapping.dmp

Download
memory/1820-76-0x0000000000000000-mapping.dmp

Download
memory/1912-38-0x0000000000000000-mapping.dmp

Download
memory/1956-33-0x0000000000000000-mapping.dmp

Download
memory/1984-68-0x0000000000000000-mapping.dmp

Download
memory/2020-2-0x0000000000000000-mapping.dmp

Download
memory/2020-4-0x0000000075430000-0x000000007543F000-memory.dmp

Filesize
60KB

Download
memory/2020-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2020-3-0x0000000076861000-0x0000000076863000-memory.dmp

Filesize
8KB

Download
memory/2020-6-0x0000000000280000-0x0000000000293000-memory.dmp

Filesize
76KB

Download
memory/2020-11-0x0000000000300000-0x0000000000302000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads