062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1

General

Target

Document.doc.scr
Size

194KB
MD5

50e5dec57451005668704281688ca55d
SHA1

67dd4ac7eb8c193b39149b34d3a0d5bc21c3f200
SHA256

062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1
SHA512

29ca4a44795c71d3e2b4e3417355ebb93765157d464d6d5a3fe6774056d934d57081c72001fb29e47982da11e5a5ccfdbcc958d05a11fb49bd8bf84e6d0c61ad
SSDEEP

3072:66glyuxE4GsUPnliByocWepRGbVZqid91h2ys+tU:66gDBGpvEByocWeubV4inP9B

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (609) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

9566.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 9566.tmp
Deletes itself 1 IoCs

Processes:

9566.tmp

pid process

2240 9566.tmp
Executes dropped EXE 1 IoCs

Processes:

9566.tmp

pid process

2240 9566.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	9566.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

Document.doc.scr

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	Document.doc.scr
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	Document.doc.scr

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\PP8ew3nw3nq4gs_mnf6ixay20bd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPeb2jx1lqxp0dqv5_083v6_ksb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPsbowxs9rft00rese83w5l4v4b.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Document.doc.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Qs2QSInbk.bmp"	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Qs2QSInbk.bmp"	Document.doc.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Document.doc.scr9566.tmp

pid process

1364 Document.doc.scr
1364 Document.doc.scr
1364 Document.doc.scr
1364 Document.doc.scr
2240 9566.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "10"	Document.doc.scr

Modifies registry class 5 IoCs

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk\ = "Qs2QSInbk"	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon\ = "C:\\ProgramData\\Qs2QSInbk.ico"	Document.doc.scr

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Document.doc.scr

pid	process
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr
1364	Document.doc.scr

Suspicious behavior: RenamesItself 26 IoCs

Processes:

9566.tmp

pid	process
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp
2240	9566.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Document.doc.scr

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeDebugPrivilege	1364	Document.doc.scr
Token: 36	1364	Document.doc.scr
Token: SeImpersonatePrivilege	1364	Document.doc.scr
Token: SeIncBasePriorityPrivilege	1364	Document.doc.scr
Token: SeIncreaseQuotaPrivilege	1364	Document.doc.scr
Token: 33	1364	Document.doc.scr
Token: SeManageVolumePrivilege	1364	Document.doc.scr
Token: SeProfSingleProcessPrivilege	1364	Document.doc.scr
Token: SeRestorePrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeSystemProfilePrivilege	1364	Document.doc.scr
Token: SeTakeOwnershipPrivilege	1364	Document.doc.scr
Token: SeShutdownPrivilege	1364	Document.doc.scr
Token: SeDebugPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeBackupPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr
Token: SeSecurityPrivilege	1364	Document.doc.scr

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
4080	ONENOTE.EXE
4080	ONENOTE.EXE
4080	ONENOTE.EXE
4080	ONENOTE.EXE
4080	ONENOTE.EXE
4080	ONENOTE.EXE
4080	ONENOTE.EXE
4080	ONENOTE.EXE
4080	ONENOTE.EXE
4080	ONENOTE.EXE
4080	ONENOTE.EXE
4080	ONENOTE.EXE
4080	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Document.doc.scrprintfilterpipelinesvc.exe9566.tmp

description	pid	process	target process
PID 1364 wrote to memory of 4492	1364	Document.doc.scr	splwow64.exe
PID 1364 wrote to memory of 4492	1364	Document.doc.scr	splwow64.exe
PID 548 wrote to memory of 4080	548	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 548 wrote to memory of 4080	548	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 1364 wrote to memory of 2240	1364	Document.doc.scr	9566.tmp
PID 1364 wrote to memory of 2240	1364	Document.doc.scr	9566.tmp
PID 1364 wrote to memory of 2240	1364	Document.doc.scr	9566.tmp
PID 1364 wrote to memory of 2240	1364	Document.doc.scr	9566.tmp
PID 2240 wrote to memory of 948	2240	9566.tmp	cmd.exe
PID 2240 wrote to memory of 948	2240	9566.tmp	cmd.exe
PID 2240 wrote to memory of 948	2240	9566.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Document.doc.scr
"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:4492

C:\ProgramData\9566.tmp
"C:\ProgramData\9566.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9566.tmp >> NUL
3⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4576

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:548

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5BA70C8C-637E-48A2-A8EA-7B0E76C654F0}.xps" 133584880716320000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini
Filesize
129B

MD5
398a59172d9c44d9604d4067df112acb

SHA1
13e51d8782ef0da080e3bb9e7d078aa9b5fb068e

SHA256
7044422bb6ddf26d458a496244449077dcebe5cc3157a8ead2269f34e22b2c31

SHA512
193da77062757bb2f30da3a870eebd6f68c00f7d6c713de7ef5cf2eda06cba220cb059f38ace1ba9427e853c02fbb09161aca0d1173450fdd30668a2146f531b

Download Submit
C:\ProgramData\9566.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Qs2QSInbk.README.txt
Filesize
434B

MD5
ad29bd8c66e114ff57c943d16c78f72a

SHA1
5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

SHA256
6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

SHA512
a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDD
Filesize
194KB

MD5
5a7e8de98a4b7fd1ecc52b02fa0565b5

SHA1
9a9599fabcc11c9961c35907d7da8ca97131ec63

SHA256
fbbfb22e291a460d80bf5b82442448a3c82bc9d15dbb63c654a7ee3bd7fcfb2e

SHA512
d3b4159fd230d806e8911a0075244401cd82765c73f49398b77cc495ca6d4fb3af6fda816f9e6788b9422df8859feb6b684c792dc8af1c18e47b7dde8a7feaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E91C1C1E-6F21-4F16-BA78-7A51F0CC5897}
Filesize
4KB

MD5
77e084b6025b0cc6482856e0cd44cfb1

SHA1
3bc63ef2c1f3d14f9763f6d867de5bb38e8357cd

SHA256
fd04e38773f6dc0b5c44156022bf6490b578cc5804420a28b3d031166ba7a1e0

SHA512
b155706ca7044a3178720e7f7e0e45a88614255f5850dcdf543a2bc795a0a092db1f2e26f7bdcced47f308892e6d42b1ec8b4199f5a4a6b515e7f51b545d64ad

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
Filesize
4KB

MD5
4e3763b36147f8c7dcf3e90033631118

SHA1
4bee6e6161ab291236a82ba07ef1dab0758c48a0

SHA256
4844b9898930bfbbf656068242cd654a9d49bedc0334fe1854342d109cb8f462

SHA512
55f15a5d70efe7f32c93f06589559e38bbd2c6ef338738ead8eeb2c1b04f4e3229b1e581f588d7416a816c2a0b5b49bfed874f1dd476676f59f5872d938437b2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\DDDDDDDDDDD
Filesize
129B

MD5
e94c593841101105515af9ec3d334797

SHA1
772b741734ea3cb2cea84ae2b94ee920d5e39532

SHA256
8fd4875043d0fbc75fd4164d61ceb0b06aba2eac04f46bcf677aaeaa812c9aeb

SHA512
ba990015cc9801c95ea65564b970a57b90c0cbb18aed91ed51b175fb24500ec909eee821f027fd820f8001f8b314f4c57933b862c294664fe3f69f94ca46f683

Download Submit
memory/1364-1-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download
memory/1364-2790-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download
memory/1364-2791-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download
memory/1364-0-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download
memory/1364-2-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download
memory/1364-2789-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download
memory/2240-2850-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/2240-2852-0x000000007FE00000-0x000000007FE01000-memory.dmp

Filesize
4KB

Download
memory/2240-2853-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/2240-2851-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Filesize
4KB

Download
memory/2240-2849-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/2240-2848-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2240-2847-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/4080-2803-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmp

Filesize
64KB

Download
memory/4080-2845-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

Filesize
2.0MB

Download
memory/4080-2846-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

Filesize
2.0MB

Download
memory/4080-2816-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

Filesize
2.0MB

Download
memory/4080-2815-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

Filesize
2.0MB

Download
memory/4080-2814-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmp

Filesize
64KB

Download
memory/4080-2813-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

Filesize
2.0MB

Download
memory/4080-2811-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmp

Filesize
64KB

Download
memory/4080-2806-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmp

Filesize
64KB

Download
memory/4080-2808-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

Filesize
2.0MB

Download
memory/4080-2854-0x00007FFE68110000-0x00007FFE68120000-memory.dmp

Filesize
64KB

Download
memory/4080-2855-0x00007FFE68110000-0x00007FFE68120000-memory.dmp

Filesize
64KB

Download
memory/4080-2805-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

Filesize
2.0MB

Download
memory/4080-2804-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmp

Filesize
64KB

Download
memory/4080-2877-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

Filesize
2.0MB

Download
memory/4080-2878-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

Filesize
2.0MB

Download
memory/4080-2879-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads