crimsonrat | 0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2

General

Target

0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2.ppam
Size

396KB
MD5

70635541c80cd5a237ff789abcce4e27
SHA1

69639bccfdfc319d64ab89d5ee03d29f6f6133a7
SHA256

0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2
SHA512

8470f9581032dca01aacd5ca55974d56bc34d652fc1b2f25883002d5c28330b2ce04fe69031d72e3b3d4e2fd058c32263af538d64f3e23757ff350d70d6f7867
SSDEEP

6144:ilRaWUni3pcJi9U+K/mpL0IfyzvfJ1vC53oPWVkuKsxkx:OUWOUXq+emC3Trq9Elskx

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

C2

192.3.99.68

Signatures

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Executes dropped EXE 1 IoCs

Processes:

hiartbnaiw.exe

pid process

1824 hiartbnaiw.exe
Loads dropped DLL 1 IoCs

Processes:

POWERPNT.EXE

pid process

2148 POWERPNT.EXE

pid	process
1824	hiartbnaiw.exe

pid	process
2148	POWERPNT.EXE

Drops file in Program Files directory 16 IoCs

Processes:

POWERPNT.EXE

description	ioc	process
File created	C:\PROGRA~3\OFFIEC~1\_rels\.rels	POWERPNT.EXE
File created	C:\PROGRA~3\OFFIEC~1\ppt\presentation.xml	POWERPNT.EXE
File created	C:\PROGRA~3\OFFIEC~1\ppt\vbaProject.bin	POWERPNT.EXE
File created	C:\PROGRA~3\OFFIEC~1\ppt\EMBEDD~1\oleObject1.bin	POWERPNT.EXE
File opened for modification	C:\PROGRA~3\OFFIEC~1\ppt\EMBEDD~1\oleObject2.bin	POWERPNT.EXE
File created	C:\PROGRA~3\OFFIEC~1\ppt\_rels\presentation.xml.rels	POWERPNT.EXE
File opened for modification	C:\PROGRA~3\OFFIEC~1\ppt\EMBEDD~1\oleObject1.bin	POWERPNT.EXE
File created	C:\PROGRA~3\OFFIEC~1\ppt\EMBEDD~1\oleObject3.bin	POWERPNT.EXE
File opened for modification	C:\PROGRA~3\OFFIEC~1\ppt\EMBEDD~1\oleObject3.bin	POWERPNT.EXE
File opened for modification	C:\PROGRA~3\OFFIEC~1\ppt\presentation.xml	POWERPNT.EXE
File created	C:\PROGRA~3\OFFIEC~1\ppt\EMBEDD~1\oleObject2.bin	POWERPNT.EXE
File opened for modification	C:\PROGRA~3\OFFIEC~1\ppt\_rels\presentation.xml.rels	POWERPNT.EXE
File opened for modification	C:\PROGRA~3\OFFIEC~1\_rels\.rels	POWERPNT.EXE
File created	C:\PROGRA~3\OFFIEC~1\[Content_Types].xml	POWERPNT.EXE
File opened for modification	C:\PROGRA~3\OFFIEC~1\[Content_Types].xml	POWERPNT.EXE
File opened for modification	C:\PROGRA~3\OFFIEC~1\ppt\vbaProject.bin	POWERPNT.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE

Modifies registry class 64 IoCs

Processes:

POWERPNT.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346F-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493490-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349D-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D7-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DC-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A60-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493450-5A91-11CF-8700-00AA0060263B}\ = "Collection"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493473-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F2-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493454-5A91-11CF-8700-00AA0060263B}\ = "Selection"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DF-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E3-5A91-11CF-8700-00AA0060263B}\ = "AnimationBehaviors"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5B-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "ChartFillFormat"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A77-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349C-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CC-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7C-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493494-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D7-5A91-11CF-8700-00AA0060263B}\ = "Design"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E9-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F7-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5A-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "ChartData"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A62-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6D-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493468-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493468-5A91-11CF-8700-00AA0060263B}\ = "ExtraColors"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346C-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349D-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E5-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EB-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A58-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493457-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C0-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C8-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E5-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EB-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493450-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F5-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F9-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A62-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A75-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A78-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C3-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345B-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346C-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346C-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CF-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E8-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F3-5A91-11CF-8700-00AA0060263B}\ = "CustomLayout"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F8-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493452-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A63-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CB-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E6-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6B-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345B-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EC-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A68-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A73-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A77-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347D-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE

NTFS ADS 1 IoCs

Processes:

POWERPNT.EXE

description ioc process

File created C:\ProgramData\Offiecs338\data.zip\:Zone.Identifier:$DATA POWERPNT.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2148 POWERPNT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

POWERPNT.EXE

pid process

2148 POWERPNT.EXE
2148 POWERPNT.EXE

description	ioc	process
File created	C:\ProgramData\Offiecs338\data.zip\:Zone.Identifier:$DATA	POWERPNT.EXE

pid	process
2148	POWERPNT.EXE

pid	process
2148	POWERPNT.EXE
2148	POWERPNT.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

POWERPNT.EXE

description	pid	process	target process
PID 2148 wrote to memory of 2528	2148	POWERPNT.EXE	splwow64.exe
PID 2148 wrote to memory of 2528	2148	POWERPNT.EXE	splwow64.exe
PID 2148 wrote to memory of 2528	2148	POWERPNT.EXE	splwow64.exe
PID 2148 wrote to memory of 2528	2148	POWERPNT.EXE	splwow64.exe
PID 2148 wrote to memory of 1824	2148	POWERPNT.EXE	hiartbnaiw.exe
PID 2148 wrote to memory of 1824	2148	POWERPNT.EXE	hiartbnaiw.exe
PID 2148 wrote to memory of 1824	2148	POWERPNT.EXE	hiartbnaiw.exe
PID 2148 wrote to memory of 1824	2148	POWERPNT.EXE	hiartbnaiw.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2.ppam"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2528
- C:\ProgramData\Offiecs338\ppt\embeddings\hiartbnaiw.exe
  C:\ProgramData\Offiecs338\ppt\embeddings\hiartbnaiw.exe
  2⤵
  - Executes dropped EXE
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\OFFIEC~1\data.zip

Filesize
396KB

MD5
70635541c80cd5a237ff789abcce4e27

SHA1
69639bccfdfc319d64ab89d5ee03d29f6f6133a7

SHA256
0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2

SHA512
8470f9581032dca01aacd5ca55974d56bc34d652fc1b2f25883002d5c28330b2ce04fe69031d72e3b3d4e2fd058c32263af538d64f3e23757ff350d70d6f7867

Download Submit
C:\ProgramData\Offiecs338\data.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\ProgramData\Offiecs338\ppt\embeddings\hiartbnaiw.exe

Filesize
10.5MB

MD5
30bc987b05c707e89f1a0b06e022459e

SHA1
48e33424d703d9566d8f6e41dff7cf8dd6053323

SHA256
f3a1ac021941b481ac7e2335b74ebf1e44728e8917381728f1f5b390c6f34706

SHA512
7a8578724a968f89ceacb2f698a95b606b7809c7b498de592adb4365161fa37cfb9fd41b6c38b3ba81dd081f646b7d278f788a84ba270563c0f682f1239a319d

Download Submit
C:\Users\Admin\Documents\0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2.pptx

Filesize
175KB

MD5
643218061bd19bc22c91eb67e688d0ad

SHA1
0bdba98f3f080a9e367dbd44e8051768ccc7a331

SHA256
8f905ae9b5f3c9d1f4a2a3ba5c366fb2213629c077b43d85eb6fd005b4c47bfb

SHA512
a45c29077622ee9b2ee72128707a4d4370a93a1f8f96511defa36ee563d37e198fcd3047282a77acefe2cda2c57ee460c63f9fe9164f3c5a5de589dcbed5366a

Download Submit
memory/1824-187-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1824-185-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp

Filesize
9.6MB

Download
memory/1824-221-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1824-220-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1824-219-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp

Filesize
9.6MB

Download
memory/1824-183-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp

Filesize
9.6MB

Download
memory/1824-184-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2148-0-0x000000002DC91000-0x000000002DC92000-memory.dmp

Filesize
4KB

Download
memory/2148-8-0x0000000004980000-0x0000000004A80000-memory.dmp

Filesize
1024KB

Download
memory/2148-14-0x0000000004980000-0x0000000004A80000-memory.dmp

Filesize
1024KB

Download
memory/2148-217-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2148-218-0x0000000071EED000-0x0000000071EF8000-memory.dmp

Filesize
44KB

Download
memory/2148-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2148-2-0x0000000071EED000-0x0000000071EF8000-memory.dmp

Filesize
44KB

Download
memory/2148-37-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads