732cfacaafe15f55c177d929eeb4b129dc5a44ce04c8d6d83da236d74c50979f

Resubmissions

30/09/2023, 07:51

230930-jpwaqsbc35 10

29/09/2023, 22:10

230929-13rm5sgc42 10

29/09/2023, 21:44

230929-1lmymagb76 10

Analysis

max time kernel
1799s
max time network
1752s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
29/09/2023, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nicht bestätigt 788413.doc
Size

2.1MB
MD5

d7519b822434fb89fb3643bc2f450e23
SHA1

4fcf10a8fe9db80c3eaf172636a602f95b64b0fc
SHA256

732cfacaafe15f55c177d929eeb4b129dc5a44ce04c8d6d83da236d74c50979f
SHA512

d8b2e5eb888f3ca464e56aebcd6e4eab2b678739663aba90745e6d244a36a7e4e622afaa11f5a0a6effd5991cf26e37e4775837ff97c415ad5feee2969640e95
SSDEEP

12288:t+xefqnAWcv37wHxULygl0kPf5h2BSoPy+OnwGcOuU4N5:oAqnAHTwHK+g00Cy+OnSOz4r

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2968	2408	cmd.exe	27

Executes dropped EXE 1 IoCs

pid	Process
2360	chats.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2616	schtasks.exe
2520	schtasks.exe
2568	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2408	WINWORD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1576	cscript.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2408	WINWORD.EXE
2408	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2968	2408	WINWORD.EXE	28
PID 2408 wrote to memory of 2968	2408	WINWORD.EXE	28
PID 2408 wrote to memory of 2968	2408	WINWORD.EXE	28
PID 2408 wrote to memory of 2968	2408	WINWORD.EXE	28
PID 2968 wrote to memory of 2616	2968	cmd.exe	31
PID 2968 wrote to memory of 2616	2968	cmd.exe	31
PID 2968 wrote to memory of 2616	2968	cmd.exe	31
PID 2968 wrote to memory of 2616	2968	cmd.exe	31
PID 2968 wrote to memory of 2520	2968	cmd.exe	32
PID 2968 wrote to memory of 2520	2968	cmd.exe	32
PID 2968 wrote to memory of 2520	2968	cmd.exe	32
PID 2968 wrote to memory of 2520	2968	cmd.exe	32
PID 2968 wrote to memory of 2568	2968	cmd.exe	33
PID 2968 wrote to memory of 2568	2968	cmd.exe	33
PID 2968 wrote to memory of 2568	2968	cmd.exe	33
PID 2968 wrote to memory of 2568	2968	cmd.exe	33
PID 2408 wrote to memory of 2872	2408	WINWORD.EXE	35
PID 2408 wrote to memory of 2872	2408	WINWORD.EXE	35
PID 2408 wrote to memory of 2872	2408	WINWORD.EXE	35
PID 2408 wrote to memory of 2872	2408	WINWORD.EXE	35
PID 2824 wrote to memory of 576	2824	taskeng.exe	39
PID 2824 wrote to memory of 576	2824	taskeng.exe	39
PID 2824 wrote to memory of 576	2824	taskeng.exe	39
PID 576 wrote to memory of 1576	576	cmd.exe	41
PID 576 wrote to memory of 1576	576	cmd.exe	41
PID 576 wrote to memory of 1576	576	cmd.exe	41
PID 2824 wrote to memory of 2236	2824	taskeng.exe	42
PID 2824 wrote to memory of 2236	2824	taskeng.exe	42
PID 2824 wrote to memory of 2236	2824	taskeng.exe	42
PID 2824 wrote to memory of 2356	2824	taskeng.exe	45
PID 2824 wrote to memory of 2356	2824	taskeng.exe	45
PID 2824 wrote to memory of 2356	2824	taskeng.exe	45
PID 2824 wrote to memory of 2360	2824	taskeng.exe	44
PID 2824 wrote to memory of 2360	2824	taskeng.exe	44
PID 2824 wrote to memory of 2360	2824	taskeng.exe	44
PID 2824 wrote to memory of 2360	2824	taskeng.exe	44
PID 2356 wrote to memory of 1956	2356	cmd.exe	47
PID 2356 wrote to memory of 1956	2356	cmd.exe	47
PID 2356 wrote to memory of 1956	2356	cmd.exe	47
PID 2824 wrote to memory of 2440	2824	taskeng.exe	50
PID 2824 wrote to memory of 2440	2824	taskeng.exe	50
PID 2824 wrote to memory of 2440	2824	taskeng.exe	50
PID 2824 wrote to memory of 3044	2824	taskeng.exe	51
PID 2824 wrote to memory of 3044	2824	taskeng.exe	51
PID 2824 wrote to memory of 3044	2824	taskeng.exe	51
PID 3044 wrote to memory of 2008	3044	cmd.exe	54
PID 3044 wrote to memory of 2008	3044	cmd.exe	54
PID 3044 wrote to memory of 2008	3044	cmd.exe	54
PID 2824 wrote to memory of 2916	2824	taskeng.exe	55
PID 2824 wrote to memory of 2916	2824	taskeng.exe	55
PID 2824 wrote to memory of 2916	2824	taskeng.exe	55
PID 2916 wrote to memory of 3040	2916	cmd.exe	57
PID 2916 wrote to memory of 3040	2916	cmd.exe	57
PID 2916 wrote to memory of 3040	2916	cmd.exe	57
PID 2824 wrote to memory of 368	2824	taskeng.exe	58
PID 2824 wrote to memory of 368	2824	taskeng.exe	58
PID 2824 wrote to memory of 368	2824	taskeng.exe	58
PID 2824 wrote to memory of 2416	2824	taskeng.exe	60
PID 2824 wrote to memory of 2416	2824	taskeng.exe	60
PID 2824 wrote to memory of 2416	2824	taskeng.exe	60
PID 2416 wrote to memory of 3036	2416	cmd.exe	62
PID 2416 wrote to memory of 3036	2416	cmd.exe	62
PID 2416 wrote to memory of 3036	2416	cmd.exe	62
PID 2824 wrote to memory of 2868	2824	taskeng.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 788413.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Public\rtwitoghbklj.bat
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 4 /f /tn rtret /tr "C:\Users\Public\fghsd.bat"
    3⤵
    - Creates scheduled task(s)
    PID:2616
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 6 /f /tn sgsg /tr "C:\Users\Public\Pictures\oned.bat"
    3⤵
    - Creates scheduled task(s)
    PID:2520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 8 /f /tn jhkff /tr "C:\Users\Public\chats\chats.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2568
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2872

C:\Windows\system32\taskeng.exe
taskeng.exe {ECA6E5DC-F520-436D-88C9-D8355625F030} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\fghsd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:1576
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\Pictures\oned.bat"
  2⤵
  PID:2236
- C:\Users\Public\chats\chats.exe
  C:\Users\Public\chats\chats.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\fghsd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
    3⤵
    PID:1956
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\Pictures\oned.bat"
  2⤵
  PID:2440
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\fghsd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
    3⤵
    PID:2008
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\fghsd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
    3⤵
    PID:3040
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\Pictures\oned.bat"
  2⤵
  PID:368
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\fghsd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
    3⤵
    PID:3036
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\Pictures\oned.bat"
  2⤵
  PID:2868
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\fghsd.bat"
  2⤵
  PID:2116
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
    3⤵
    PID:2604
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\fghsd.bat"
  2⤵
  PID:1076
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
    3⤵
    PID:1048
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\Pictures\oned.bat"
  2⤵
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
374B

MD5
f7527f42289d19e38d328c8b9bf6c3c1

SHA1
11f79451278295174fc55e411ce43ae34a96a08e

SHA256
6b521ad07453a6c79a87e855c44861209f9ae687bb99f480e19d28b03dcfd9ac

SHA512
e80b3f93e3cca4352bb7c85b58c4486a331033531d9b83e3df35cd9ed2a7aef25eaa2b843f8f83b48d639fc9ea04608c0dcdf15b0a678cf0e4acb3c110dee82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
293B

MD5
5c204cd90cd0fc8e06ae478a6060f8e8

SHA1
6c8d3f828b5457ab20d78bc6f6fd768e2b318caa

SHA256
9c325f4c822346e33240a3dcf3a624a692ede0cd552b4374d0eb61a9be571012

SHA512
76ab29d00585571285905428428ab13e1cffb72a49f92538eed8a62399b33238313f186084c300a9986887f5395d3b257f6e6ca3929eb91360726240aa37afd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
293B

MD5
5c204cd90cd0fc8e06ae478a6060f8e8

SHA1
6c8d3f828b5457ab20d78bc6f6fd768e2b318caa

SHA256
9c325f4c822346e33240a3dcf3a624a692ede0cd552b4374d0eb61a9be571012

SHA512
76ab29d00585571285905428428ab13e1cffb72a49f92538eed8a62399b33238313f186084c300a9986887f5395d3b257f6e6ca3929eb91360726240aa37afd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
293B

MD5
5c204cd90cd0fc8e06ae478a6060f8e8

SHA1
6c8d3f828b5457ab20d78bc6f6fd768e2b318caa

SHA256
9c325f4c822346e33240a3dcf3a624a692ede0cd552b4374d0eb61a9be571012

SHA512
76ab29d00585571285905428428ab13e1cffb72a49f92538eed8a62399b33238313f186084c300a9986887f5395d3b257f6e6ca3929eb91360726240aa37afd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
54B

MD5
d9b673a7658d4e650850a8f0a384336e

SHA1
55dac464d09e7c502b8d62fb1d14f9ce662e4e19

SHA256
2ff399685922cad7c37b0eddec78b4e5ea21082855b6ad5290db421aa5e946eb

SHA512
3e37e530e7052d3d3b5ca122f59d3dac186706a460219c549e9c0db7f636d9026a058d8ab43b877d791841374b4e5a8a5d42cfacb432014d9aaf26a32fbadfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
293B

MD5
5c204cd90cd0fc8e06ae478a6060f8e8

SHA1
6c8d3f828b5457ab20d78bc6f6fd768e2b318caa

SHA256
9c325f4c822346e33240a3dcf3a624a692ede0cd552b4374d0eb61a9be571012

SHA512
76ab29d00585571285905428428ab13e1cffb72a49f92538eed8a62399b33238313f186084c300a9986887f5395d3b257f6e6ca3929eb91360726240aa37afd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
86B

MD5
80e1fe9562b1bd391b0feeff6f8bf202

SHA1
6ce0a5c8eb75f4877bb91dac87d0815f31b68480

SHA256
0110b6c2b7270239627aaa62aa8371112572d6525a464dee81e82658999c025e

SHA512
36ff805f8ed1e88404ddd2b280eae8ab3b083b28a1fe4fb9e6819685524e44a95bbd63fa63faf033c04e8fa0a38e457942a221e531f61d310698eed9de230f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
114B

MD5
f27532f6e01f840923cf8fe8ba84fadf

SHA1
5a7976062ad84da5d41769accee4db3025608c14

SHA256
130f575e56e3757ff793c00ed0e957a7c231a9bdbd5403829abe563010247a42

SHA512
7364b62417fab5d692046bcc8a73210ef85a85fa167336530e9afc7e05f48d29b8e90252228b9396ab2bdd8e92c7450c5edfd14a0d52a4e2b87b92677533eb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
114B

MD5
f27532f6e01f840923cf8fe8ba84fadf

SHA1
5a7976062ad84da5d41769accee4db3025608c14

SHA256
130f575e56e3757ff793c00ed0e957a7c231a9bdbd5403829abe563010247a42

SHA512
7364b62417fab5d692046bcc8a73210ef85a85fa167336530e9afc7e05f48d29b8e90252228b9396ab2bdd8e92c7450c5edfd14a0d52a4e2b87b92677533eb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
164B

MD5
bab5c47e282215782bf03eff8f041c9d

SHA1
87375c1cd28060aac17139fc81f560de5951ee3e

SHA256
bbe8e6327fe86977d5a028fa1faa768513a2af1a2234dc498513e1cc548eede8

SHA512
265b35869e1e8b51d0081e3e008ba9cbb764750dbfb0cfe12947f6840cab19c585e4153e06ca50750ee6a204f368998eb15661a49d8b14dd3e91d9e543997312

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
207B

MD5
2875eb4740de383e185f2e3e76a957d9

SHA1
c6f9be0064269d2a358df4dd6650bc26d898383b

SHA256
c7bcd02fa0590b6ce206af2834f99fc5652aa64450b3e7911844b5e01d193c3e

SHA512
6ada5ac32248c5d1274c3fd464a4ab2272499b2a58f88aef264474a1b9ef7b6e7229b46864f5e0f12214e5170e2055317cd34882526ac601e6f2104cd499a7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
250B

MD5
fea0e2b124f69f6dfc63bfefa5b47c56

SHA1
e5f45d6cbd81b70df7d0216c2e9827aa2cbe4e38

SHA256
2762c7f6dbfef046066a2893efd2976da30fc503775bca43684405043de566f0

SHA512
7c397b702fec6e32bcc570a7df1709cb1ee312d53596c415d352d0037f4802586e922d33d71b0b5ecadf291edcbad2af0778b1ce07b3ad1e73c694cc5ac8aaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
269B

MD5
4723ec4f36a275722efa3204b762e10d

SHA1
27308ecb7ceff6cb3283ed481b0f649efda73d72

SHA256
cc82e370367946111cc1c34efcdd561ef776f0383f37f3b0ac437f07e91376bf

SHA512
069e54478cb72db1ec6cda1ac62eef33ca75ed299fdd1bec7af86f7e7725436395f5a0be461f3c6335c0926374e6123ef05cb0d3f72a019dba03f9f61ae22177

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
293B

MD5
5c204cd90cd0fc8e06ae478a6060f8e8

SHA1
6c8d3f828b5457ab20d78bc6f6fd768e2b318caa

SHA256
9c325f4c822346e33240a3dcf3a624a692ede0cd552b4374d0eb61a9be571012

SHA512
76ab29d00585571285905428428ab13e1cffb72a49f92538eed8a62399b33238313f186084c300a9986887f5395d3b257f6e6ca3929eb91360726240aa37afd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
293B

MD5
5c204cd90cd0fc8e06ae478a6060f8e8

SHA1
6c8d3f828b5457ab20d78bc6f6fd768e2b318caa

SHA256
9c325f4c822346e33240a3dcf3a624a692ede0cd552b4374d0eb61a9be571012

SHA512
76ab29d00585571285905428428ab13e1cffb72a49f92538eed8a62399b33238313f186084c300a9986887f5395d3b257f6e6ca3929eb91360726240aa37afd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
293B

MD5
5c204cd90cd0fc8e06ae478a6060f8e8

SHA1
6c8d3f828b5457ab20d78bc6f6fd768e2b318caa

SHA256
9c325f4c822346e33240a3dcf3a624a692ede0cd552b4374d0eb61a9be571012

SHA512
76ab29d00585571285905428428ab13e1cffb72a49f92538eed8a62399b33238313f186084c300a9986887f5395d3b257f6e6ca3929eb91360726240aa37afd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
66a0f86dd9ec34080b0a814b2e638ede

SHA1
b14d9b44e840d197ef610982c6c217f2cab01cf8

SHA256
4828dcf7a2ff2cde77329749579972d1fcc54c884f62e12e5e467979d4117725

SHA512
ad80a7a5169c6a20f9d9eef25a732a4bcb5a047995c61d3323da1d475e48d29e5985e3eddf0ff5a4d2db546060737f0b64199bc9c91185d80b643113f3b8f669

Download Submit
C:\Users\Public\chats

Filesize
10KB

MD5
5e4ef26e46869b1cfa9b7f803eed5b33

SHA1
26d00ed8633f7ce0ea433b29a88f3602e38b7b0f

SHA256
2ab4d420f543103c1f0188445a3a47eaa77817514573cb07cb8810903ae1f67d

SHA512
7d2b36ac7f982b2885577d4c0d7fc467959bed68a07667b073fbf0bb072fd810099745567afa4e7a41bd1f0ce5a61efbff082173212542b8a38762faa4bf988e

Download Submit
C:\Users\Public\chats\chats.exe

Filesize
21KB

MD5
2cacf99569c85091ea987a02dc1e6bec

SHA1
b7bf707938cc0cef3d3e24be0c8748ee699beb15

SHA256
40e43aac9888c433d796e106c03846f48a1422d0950f27e0a2b793261e9f9e08

SHA512
38d2397b71b83c1f5eb2453fa6a6b3c7457671835fef13d8c92e6c1ac5fd1677682f0a7219bf9ddf922891caf0021a680fcd6ac8dd03116acd149710430c5a02

Download Submit
C:\Users\Public\chats\chats.exe

Filesize
21KB

MD5
2cacf99569c85091ea987a02dc1e6bec

SHA1
b7bf707938cc0cef3d3e24be0c8748ee699beb15

SHA256
40e43aac9888c433d796e106c03846f48a1422d0950f27e0a2b793261e9f9e08

SHA512
38d2397b71b83c1f5eb2453fa6a6b3c7457671835fef13d8c92e6c1ac5fd1677682f0a7219bf9ddf922891caf0021a680fcd6ac8dd03116acd149710430c5a02

Download Submit
C:\Users\Public\fghsd.bat

Filesize
712B

MD5
36b06d73347fe0da8177bd212e2b3f77

SHA1
f1fc033763b931a729b9da3eb29a0724fd3eb6b9

SHA256
a2f68aacf94a11678abd24039f1a26c65c257c26ac7c31c87b442fbd7f6583d9

SHA512
c2f90456644fd136c7ed33e83b9501d4c0323e294427b942a1bd078067be63ff3c5b3bc3c99f253b30d3ff579b64ef1699e3684612e9a4f4880e4a806f65c937

Download Submit
C:\Users\Public\rtwitoghbklj.bat

Filesize
480B

MD5
2981447b673ed84cf8a20457f175ff52

SHA1
f92a9f28c9da1d09a8332d68287a74cd7d3a2538

SHA256
f9459c9065454839cd1306c2e7759513bc5d204eb9a8095f5d49bd88654d8309

SHA512
2ac7562bbf63d2befc037c02a6bd89d1d76e7df28004b151d7d6c4d61cfa0347a21879995b797f40da20da1ce763147cf18864e0a90906fbb71b74d190f8193b

Download Submit
C:\Users\Public\rtwitoghbklj.bat

Filesize
480B

MD5
2981447b673ed84cf8a20457f175ff52

SHA1
f92a9f28c9da1d09a8332d68287a74cd7d3a2538

SHA256
f9459c9065454839cd1306c2e7759513bc5d204eb9a8095f5d49bd88654d8309

SHA512
2ac7562bbf63d2befc037c02a6bd89d1d76e7df28004b151d7d6c4d61cfa0347a21879995b797f40da20da1ce763147cf18864e0a90906fbb71b74d190f8193b

Download Submit
memory/1576-79-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/2360-95-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2408-17-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-19-0x0000000005BE0000-0x0000000005CE0000-memory.dmp

Filesize
1024KB

Download
memory/2408-48-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-49-0x0000000005BE0000-0x0000000005CE0000-memory.dmp

Filesize
1024KB

Download
memory/2408-46-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2408-66-0x000000007130D000-0x0000000071318000-memory.dmp

Filesize
44KB

Download
memory/2408-45-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-44-0x000000007130D000-0x0000000071318000-memory.dmp

Filesize
44KB

Download
memory/2408-25-0x0000000005BE0000-0x0000000005CE0000-memory.dmp

Filesize
1024KB

Download
memory/2408-24-0x0000000005BE0000-0x0000000005CE0000-memory.dmp

Filesize
1024KB

Download
memory/2408-22-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-21-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-20-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-16-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-47-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-0-0x000000002F2B1000-0x000000002F2B2000-memory.dmp

Filesize
4KB

Download
memory/2408-14-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-13-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-12-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-11-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-10-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-9-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-8-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-7-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-5-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-6-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2408-2-0x000000007130D000-0x0000000071318000-memory.dmp

Filesize
44KB

Download
memory/2408-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads