14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7v20210410
submitted
13-05-2021 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
Size

255KB
MD5

5596c16aa632fda3736791a939823e5a
SHA1

82083ec2d74969fd07aa5b878287779b0c85a507
SHA256

14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1
SHA512

ddb44da1636aa43953da973702beca76233e8bb4a0580c31525f21bb6d7b22f5bccfa8c0b0fae6a20415e255f79a204a023b465e8ef1b7df3b7c0927a503a6e9

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Disables RegEdit via registry modification
evasion
Executes dropped EXE 5 IoCs

Processes:

zyitkiivaj.exeztnwykfyecsbvrc.exeocpjdimp.exellieahfmagiem.exeocpjdimp.exe

pid process

1412 zyitkiivaj.exe
1972 ztnwykfyecsbvrc.exe
2000 ocpjdimp.exe
1740 llieahfmagiem.exe
2008 ocpjdimp.exe

pid	process
1412	zyitkiivaj.exe
1972	ztnwykfyecsbvrc.exe
2000	ocpjdimp.exe
1740	llieahfmagiem.exe
2008	ocpjdimp.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\zyitkiivaj.exe	upx
\Windows\SysWOW64\ztnwykfyecsbvrc.exe	upx
C:\Windows\SysWOW64\zyitkiivaj.exe	upx
C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe	upx
\Windows\SysWOW64\ocpjdimp.exe	upx
\Windows\SysWOW64\llieahfmagiem.exe	upx
C:\Windows\SysWOW64\ocpjdimp.exe	upx
C:\Windows\SysWOW64\llieahfmagiem.exe	upx
C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe	upx
C:\Windows\SysWOW64\ocpjdimp.exe	upx
C:\Windows\SysWOW64\zyitkiivaj.exe	upx
C:\Windows\SysWOW64\llieahfmagiem.exe	upx
\Windows\SysWOW64\ocpjdimp.exe	upx
C:\Windows\SysWOW64\ocpjdimp.exe	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	upx
C:\Users\Admin\Documents\ReceiveEdit.doc.exe	upx
C:\Users\Admin\Downloads\InvokeUndo.doc.exe	upx

Loads dropped DLL 5 IoCs

Processes:

14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exezyitkiivaj.exe

pid	process
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1412	zyitkiivaj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

zyitkiivaj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	zyitkiivaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	zyitkiivaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	zyitkiivaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	zyitkiivaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	zyitkiivaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	zyitkiivaj.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ztnwykfyecsbvrc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ztnwykfyecsbvrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thhhnumi = "zyitkiivaj.exe"	ztnwykfyecsbvrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ncystvkf = "ztnwykfyecsbvrc.exe"	ztnwykfyecsbvrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "llieahfmagiem.exe"	ztnwykfyecsbvrc.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ocpjdimp.exeocpjdimp.exezyitkiivaj.exe

description	ioc	process
File opened (read-only)	\??\z:	ocpjdimp.exe
File opened (read-only)	\??\z:	ocpjdimp.exe
File opened (read-only)	\??\q:	ocpjdimp.exe
File opened (read-only)	\??\y:	ocpjdimp.exe
File opened (read-only)	\??\v:	ocpjdimp.exe
File opened (read-only)	\??\l:	zyitkiivaj.exe
File opened (read-only)	\??\s:	ocpjdimp.exe
File opened (read-only)	\??\t:	ocpjdimp.exe
File opened (read-only)	\??\a:	ocpjdimp.exe
File opened (read-only)	\??\l:	ocpjdimp.exe
File opened (read-only)	\??\i:	ocpjdimp.exe
File opened (read-only)	\??\v:	ocpjdimp.exe
File opened (read-only)	\??\j:	zyitkiivaj.exe
File opened (read-only)	\??\o:	ocpjdimp.exe
File opened (read-only)	\??\u:	ocpjdimp.exe
File opened (read-only)	\??\i:	ocpjdimp.exe
File opened (read-only)	\??\o:	ocpjdimp.exe
File opened (read-only)	\??\f:	ocpjdimp.exe
File opened (read-only)	\??\g:	ocpjdimp.exe
File opened (read-only)	\??\j:	ocpjdimp.exe
File opened (read-only)	\??\p:	zyitkiivaj.exe
File opened (read-only)	\??\t:	zyitkiivaj.exe
File opened (read-only)	\??\p:	ocpjdimp.exe
File opened (read-only)	\??\a:	zyitkiivaj.exe
File opened (read-only)	\??\g:	zyitkiivaj.exe
File opened (read-only)	\??\z:	zyitkiivaj.exe
File opened (read-only)	\??\n:	ocpjdimp.exe
File opened (read-only)	\??\u:	ocpjdimp.exe
File opened (read-only)	\??\b:	ocpjdimp.exe
File opened (read-only)	\??\q:	ocpjdimp.exe
File opened (read-only)	\??\w:	zyitkiivaj.exe
File opened (read-only)	\??\e:	ocpjdimp.exe
File opened (read-only)	\??\f:	ocpjdimp.exe
File opened (read-only)	\??\a:	ocpjdimp.exe
File opened (read-only)	\??\e:	zyitkiivaj.exe
File opened (read-only)	\??\m:	zyitkiivaj.exe
File opened (read-only)	\??\v:	zyitkiivaj.exe
File opened (read-only)	\??\w:	ocpjdimp.exe
File opened (read-only)	\??\h:	ocpjdimp.exe
File opened (read-only)	\??\w:	ocpjdimp.exe
File opened (read-only)	\??\y:	ocpjdimp.exe
File opened (read-only)	\??\q:	zyitkiivaj.exe
File opened (read-only)	\??\y:	zyitkiivaj.exe
File opened (read-only)	\??\k:	ocpjdimp.exe
File opened (read-only)	\??\i:	zyitkiivaj.exe
File opened (read-only)	\??\o:	zyitkiivaj.exe
File opened (read-only)	\??\u:	zyitkiivaj.exe
File opened (read-only)	\??\x:	ocpjdimp.exe
File opened (read-only)	\??\n:	zyitkiivaj.exe
File opened (read-only)	\??\s:	zyitkiivaj.exe
File opened (read-only)	\??\x:	zyitkiivaj.exe
File opened (read-only)	\??\g:	ocpjdimp.exe
File opened (read-only)	\??\h:	ocpjdimp.exe
File opened (read-only)	\??\l:	ocpjdimp.exe
File opened (read-only)	\??\b:	zyitkiivaj.exe
File opened (read-only)	\??\h:	zyitkiivaj.exe
File opened (read-only)	\??\p:	ocpjdimp.exe
File opened (read-only)	\??\e:	ocpjdimp.exe
File opened (read-only)	\??\t:	ocpjdimp.exe
File opened (read-only)	\??\f:	zyitkiivaj.exe
File opened (read-only)	\??\r:	ocpjdimp.exe
File opened (read-only)	\??\m:	ocpjdimp.exe
File opened (read-only)	\??\r:	zyitkiivaj.exe
File opened (read-only)	\??\j:	ocpjdimp.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

zyitkiivaj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	zyitkiivaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	zyitkiivaj.exe

Drops file in System32 directory 9 IoCs

Processes:

14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exezyitkiivaj.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\zyitkiivaj.exe	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
File opened for modification	C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	zyitkiivaj.exe
File created	C:\Windows\SysWOW64\llieahfmagiem.exe	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
File opened for modification	C:\Windows\SysWOW64\llieahfmagiem.exe	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
File created	C:\Windows\SysWOW64\zyitkiivaj.exe	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
File created	C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
File created	C:\Windows\SysWOW64\ocpjdimp.exe	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
File opened for modification	C:\Windows\SysWOW64\ocpjdimp.exe	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe

Drops file in Program Files directory 15 IoCs

Processes:

ocpjdimp.exeocpjdimp.exe

description	ioc	process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ocpjdimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ocpjdimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ocpjdimp.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ocpjdimp.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ocpjdimp.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ocpjdimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ocpjdimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ocpjdimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ocpjdimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ocpjdimp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ocpjdimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ocpjdimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ocpjdimp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ocpjdimp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ocpjdimp.exe

Drops file in Windows directory 5 IoCs

Processes:

WINWORD.EXE14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe

description	ioc	process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Modifies registry class 19 IoCs

Processes:

zyitkiivaj.exe14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	zyitkiivaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	zyitkiivaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	zyitkiivaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	zyitkiivaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	zyitkiivaj.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC60B1490DBC3B9C07FE2ED9534CF"	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	zyitkiivaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	zyitkiivaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	zyitkiivaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	zyitkiivaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFF9B0F963F2E784793B4A869D3E98B08A028C4212033BE2C8459B08A9"	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B12944EE39E853CABAA23298D4BF"	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFF8B4829856D9140D72F7D93BDE0E1335940674E6344D799"	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	zyitkiivaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	zyitkiivaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D089C2082206A3776A0702F2DD87D8F64AA"	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BC4FE6C21D0D27ED1D28A749163"	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	zyitkiivaj.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

884 WINWORD.EXE

pid	process
884	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exezyitkiivaj.exeocpjdimp.exellieahfmagiem.exeztnwykfyecsbvrc.exeocpjdimp.exe

pid	process
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1412	zyitkiivaj.exe
1412	zyitkiivaj.exe
1412	zyitkiivaj.exe
1412	zyitkiivaj.exe
1412	zyitkiivaj.exe
2000	ocpjdimp.exe
2000	ocpjdimp.exe
2000	ocpjdimp.exe
2000	ocpjdimp.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1972	ztnwykfyecsbvrc.exe
1972	ztnwykfyecsbvrc.exe
1972	ztnwykfyecsbvrc.exe
1972	ztnwykfyecsbvrc.exe
1972	ztnwykfyecsbvrc.exe
2008	ocpjdimp.exe
2008	ocpjdimp.exe
2008	ocpjdimp.exe
2008	ocpjdimp.exe
1972	ztnwykfyecsbvrc.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1972	ztnwykfyecsbvrc.exe
1972	ztnwykfyecsbvrc.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1972	ztnwykfyecsbvrc.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1972	ztnwykfyecsbvrc.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1972	ztnwykfyecsbvrc.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1972	ztnwykfyecsbvrc.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1972	ztnwykfyecsbvrc.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1972	ztnwykfyecsbvrc.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1972	ztnwykfyecsbvrc.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1972	ztnwykfyecsbvrc.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1972	ztnwykfyecsbvrc.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exezyitkiivaj.exeocpjdimp.exeztnwykfyecsbvrc.exellieahfmagiem.exeocpjdimp.exe

pid	process
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1412	zyitkiivaj.exe
1412	zyitkiivaj.exe
1412	zyitkiivaj.exe
2000	ocpjdimp.exe
2000	ocpjdimp.exe
2000	ocpjdimp.exe
1972	ztnwykfyecsbvrc.exe
1972	ztnwykfyecsbvrc.exe
1972	ztnwykfyecsbvrc.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
2008	ocpjdimp.exe
2008	ocpjdimp.exe
2008	ocpjdimp.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exezyitkiivaj.exeocpjdimp.exeztnwykfyecsbvrc.exellieahfmagiem.exeocpjdimp.exe

pid	process
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
1412	zyitkiivaj.exe
1412	zyitkiivaj.exe
1412	zyitkiivaj.exe
2000	ocpjdimp.exe
2000	ocpjdimp.exe
2000	ocpjdimp.exe
1972	ztnwykfyecsbvrc.exe
1972	ztnwykfyecsbvrc.exe
1972	ztnwykfyecsbvrc.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
1740	llieahfmagiem.exe
2008	ocpjdimp.exe
2008	ocpjdimp.exe
2008	ocpjdimp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

884 WINWORD.EXE
884 WINWORD.EXE

pid	process
884	WINWORD.EXE
884	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exezyitkiivaj.exeWINWORD.EXE

description	pid	process	target process
PID 1688 wrote to memory of 1412	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	zyitkiivaj.exe
PID 1688 wrote to memory of 1412	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	zyitkiivaj.exe
PID 1688 wrote to memory of 1412	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	zyitkiivaj.exe
PID 1688 wrote to memory of 1412	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	zyitkiivaj.exe
PID 1688 wrote to memory of 1972	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	ztnwykfyecsbvrc.exe
PID 1688 wrote to memory of 1972	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	ztnwykfyecsbvrc.exe
PID 1688 wrote to memory of 1972	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	ztnwykfyecsbvrc.exe
PID 1688 wrote to memory of 1972	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	ztnwykfyecsbvrc.exe
PID 1688 wrote to memory of 2000	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	ocpjdimp.exe
PID 1688 wrote to memory of 2000	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	ocpjdimp.exe
PID 1688 wrote to memory of 2000	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	ocpjdimp.exe
PID 1688 wrote to memory of 2000	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	ocpjdimp.exe
PID 1688 wrote to memory of 1740	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	llieahfmagiem.exe
PID 1688 wrote to memory of 1740	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	llieahfmagiem.exe
PID 1688 wrote to memory of 1740	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	llieahfmagiem.exe
PID 1688 wrote to memory of 1740	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	llieahfmagiem.exe
PID 1412 wrote to memory of 2008	1412	zyitkiivaj.exe	ocpjdimp.exe
PID 1412 wrote to memory of 2008	1412	zyitkiivaj.exe	ocpjdimp.exe
PID 1412 wrote to memory of 2008	1412	zyitkiivaj.exe	ocpjdimp.exe
PID 1412 wrote to memory of 2008	1412	zyitkiivaj.exe	ocpjdimp.exe
PID 1688 wrote to memory of 884	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	WINWORD.EXE
PID 1688 wrote to memory of 884	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	WINWORD.EXE
PID 1688 wrote to memory of 884	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	WINWORD.EXE
PID 1688 wrote to memory of 884	1688	14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe	WINWORD.EXE
PID 884 wrote to memory of 1580	884	WINWORD.EXE	splwow64.exe
PID 884 wrote to memory of 1580	884	WINWORD.EXE	splwow64.exe
PID 884 wrote to memory of 1580	884	WINWORD.EXE	splwow64.exe
PID 884 wrote to memory of 1580	884	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
"C:\Users\Admin\AppData\Local\Temp\14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\zyitkiivaj.exe
zyitkiivaj.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\ocpjdimp.exe
C:\Windows\system32\ocpjdimp.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2008

C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe
ztnwykfyecsbvrc.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1972

C:\Windows\SysWOW64\ocpjdimp.exe
ocpjdimp.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2000

C:\Windows\SysWOW64\llieahfmagiem.exe
llieahfmagiem.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1740

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1580

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
MD5
cccc2067e26bb916a11dde55fc23cb41

SHA1
210575486d0d2df723a7eca077ff2acb3b77f43d

SHA256
a3c59f6a5b64827ee7b9f962bcc247d5e0928dbeb52bb96e98a2f5e172222d98

SHA512
af7c8c36f043992106a7a90e9fce05ddbea1b00a35b2fd1f1978344b5a0044d1d2dee141cf2c9a720d80cb62cabaa862ed92df04d590a735809314d10d017ca0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
MD5
79ff48cf711e92bbbed599131f69996c

SHA1
9ef0e07303c3007994bfc063153b5dd30f740c6d

SHA256
318ffb23ece5e1a7c57d82a41549f1611bfab36b2db0b3820b5315aa54db9f12

SHA512
3fa394c64f0a1bbfe690a5489dd0b4fbbd29494e11ff3041dc885731ac67c0b491e28f20f64685ce55c073ce97c61763f45fa2da208c3d997cf9118a4b0c2d01

Download Submit
C:\Users\Admin\Documents\ReceiveEdit.doc.exe
MD5
8813ebcacedcc656dab6cd9d0e75d792

SHA1
72f5c560d591e203b89838585972e786aefbe12b

SHA256
e63c87cf76998f18ff83f0f88aafb975c6c868e83d452ef88bc9d0a685e2ba88

SHA512
fff29f08140e4dcd3f9d01f09558c2b11544632c25d0a99ed5246dcdaa972ff02d7f3d6564d335edef7d8c90ce6b7b59bb6e866ca16f4efc5bfb7f256a49fb5b

Download Submit
C:\Users\Admin\Downloads\InvokeUndo.doc.exe
MD5
4a836fcbd114f648a731e38ab46250e6

SHA1
8edb6eb377f0d5aef6f589f9ede413be58d65d67

SHA256
bcd025674d7ab73ace9f2c0c340a2acd31cf9e0774bbdef13508ec5082aeb4ec

SHA512
be18e2b335d9c723482dbab04d58ae9ae34c2f6d9c3e413c9aaa7984ace8b1566863eb0f5df77babb84ad257642f154d174f4141ea7b92426dcd2454ab6edd88

Download Submit
C:\Windows\SysWOW64\llieahfmagiem.exe
MD5
9ebb82f38887848f3e190a864dbcf3d5

SHA1
b54b79daf78655e3984ec53ec0315392124949cb

SHA256
39e6c38f5cb0e072204ff5891199772284e38c5834c464b15fec37d8ee8bf6e2

SHA512
bd5595e782bcaf7d405cc0dd0d9f729f56b212e4bda1316134e2b3336021ca885aa149ff6d048050780f9e4c4cb7389de302a759994a22306359683de6940705

Download Submit
C:\Windows\SysWOW64\llieahfmagiem.exe
MD5
9ebb82f38887848f3e190a864dbcf3d5

SHA1
b54b79daf78655e3984ec53ec0315392124949cb

SHA256
39e6c38f5cb0e072204ff5891199772284e38c5834c464b15fec37d8ee8bf6e2

SHA512
bd5595e782bcaf7d405cc0dd0d9f729f56b212e4bda1316134e2b3336021ca885aa149ff6d048050780f9e4c4cb7389de302a759994a22306359683de6940705

Download Submit
C:\Windows\SysWOW64\ocpjdimp.exe
MD5
6333c214ad431f9f45ffc2ce4cbbc60c

SHA1
5ed2ae189baab90ab868822bf2457343c16fdab8

SHA256
c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff

SHA512
67015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f

Download Submit
C:\Windows\SysWOW64\ocpjdimp.exe
MD5
6333c214ad431f9f45ffc2ce4cbbc60c

SHA1
5ed2ae189baab90ab868822bf2457343c16fdab8

SHA256
c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff

SHA512
67015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f

Download Submit
C:\Windows\SysWOW64\ocpjdimp.exe
MD5
6333c214ad431f9f45ffc2ce4cbbc60c

SHA1
5ed2ae189baab90ab868822bf2457343c16fdab8

SHA256
c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff

SHA512
67015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f

Download Submit
C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe
MD5
b27b048961e442a99d07926213659f9c

SHA1
3fe3a41497ed0367d30dc5f3a8744e440bd398a5

SHA256
bd4908777daf16e5059691ca1657dd69ea1c0c3771598709e08fe80694c60678

SHA512
8a9abbe0c09b0215e7d69aa849ab9e57617e6a9ad7d0e2032856d1d706d1f0a45d1c762c3bd08f2033e2fc0cdfd633399b2a14b4349196bca0d2ceb464c80997

Download Submit
C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe
MD5
b27b048961e442a99d07926213659f9c

SHA1
3fe3a41497ed0367d30dc5f3a8744e440bd398a5

SHA256
bd4908777daf16e5059691ca1657dd69ea1c0c3771598709e08fe80694c60678

SHA512
8a9abbe0c09b0215e7d69aa849ab9e57617e6a9ad7d0e2032856d1d706d1f0a45d1c762c3bd08f2033e2fc0cdfd633399b2a14b4349196bca0d2ceb464c80997

Download Submit
C:\Windows\SysWOW64\zyitkiivaj.exe
MD5
ec1ffaa0ebca3fa99fb836d86c2ffe31

SHA1
bf0a3d6f7e9707fcdf6ffc42dbeba3208a227bee

SHA256
c30bf14e04c3be289ce572da64424144d376c45424a1ac2fe1715ba08fc4ffb1

SHA512
affdf68748fe878dbeab9dc3d74758bf5f6703b5c8391174b8837cf39d22cf846fece12ec28078868bb2e58a6ee070817f8a7de561fda9e764a1e346d08b2072

Download Submit
C:\Windows\SysWOW64\zyitkiivaj.exe
MD5
ec1ffaa0ebca3fa99fb836d86c2ffe31

SHA1
bf0a3d6f7e9707fcdf6ffc42dbeba3208a227bee

SHA256
c30bf14e04c3be289ce572da64424144d376c45424a1ac2fe1715ba08fc4ffb1

SHA512
affdf68748fe878dbeab9dc3d74758bf5f6703b5c8391174b8837cf39d22cf846fece12ec28078868bb2e58a6ee070817f8a7de561fda9e764a1e346d08b2072

Download Submit
C:\Windows\mydoc.rtf
MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\llieahfmagiem.exe
MD5
9ebb82f38887848f3e190a864dbcf3d5

SHA1
b54b79daf78655e3984ec53ec0315392124949cb

SHA256
39e6c38f5cb0e072204ff5891199772284e38c5834c464b15fec37d8ee8bf6e2

SHA512
bd5595e782bcaf7d405cc0dd0d9f729f56b212e4bda1316134e2b3336021ca885aa149ff6d048050780f9e4c4cb7389de302a759994a22306359683de6940705

Download Submit
\Windows\SysWOW64\ocpjdimp.exe
MD5
6333c214ad431f9f45ffc2ce4cbbc60c

SHA1
5ed2ae189baab90ab868822bf2457343c16fdab8

SHA256
c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff

SHA512
67015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f

Download Submit
\Windows\SysWOW64\ocpjdimp.exe
MD5
6333c214ad431f9f45ffc2ce4cbbc60c

SHA1
5ed2ae189baab90ab868822bf2457343c16fdab8

SHA256
c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff

SHA512
67015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f

Download Submit
\Windows\SysWOW64\ztnwykfyecsbvrc.exe
MD5
b27b048961e442a99d07926213659f9c

SHA1
3fe3a41497ed0367d30dc5f3a8744e440bd398a5

SHA256
bd4908777daf16e5059691ca1657dd69ea1c0c3771598709e08fe80694c60678

SHA512
8a9abbe0c09b0215e7d69aa849ab9e57617e6a9ad7d0e2032856d1d706d1f0a45d1c762c3bd08f2033e2fc0cdfd633399b2a14b4349196bca0d2ceb464c80997

Download Submit
\Windows\SysWOW64\zyitkiivaj.exe
MD5
ec1ffaa0ebca3fa99fb836d86c2ffe31

SHA1
bf0a3d6f7e9707fcdf6ffc42dbeba3208a227bee

SHA256
c30bf14e04c3be289ce572da64424144d376c45424a1ac2fe1715ba08fc4ffb1

SHA512
affdf68748fe878dbeab9dc3d74758bf5f6703b5c8391174b8837cf39d22cf846fece12ec28078868bb2e58a6ee070817f8a7de561fda9e764a1e346d08b2072

Download Submit
memory/884-87-0x00000000700E1000-0x00000000700E3000-memory.dmp

Filesize
8KB

Download
memory/884-85-0x0000000000000000-mapping.dmp

Download
memory/884-86-0x0000000072661000-0x0000000072664000-memory.dmp

Filesize
12KB

Download
memory/884-88-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/884-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1412-62-0x0000000000000000-mapping.dmp

Download
memory/1580-94-0x0000000000000000-mapping.dmp

Download
memory/1580-95-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/1688-60-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/1740-75-0x0000000000000000-mapping.dmp

Download
memory/1972-66-0x0000000000000000-mapping.dmp

Download
memory/2000-70-0x0000000000000000-mapping.dmp

Download
memory/2008-82-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads