1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2

General

Target

Document.doc.scr
Size

194KB
MD5

b7b4c97132d03eead1fa9a9352dee6c2
SHA1

c9eb1bdc528076fa9c91668addf0723294ac1575
SHA256

1ecea8b0bc92378bf2bdd1c14ae1628c573569419b91cc34504d2c3f8bb9f8b2
SHA512

cb0023bc6783a94a27d2d4a67c214e8657fd334d1a94a7dba51277363dee2a67e7ecc5fc0788cead1c4e0e2dc7d9aa758203f89dce162184869d20a44d171903
SSDEEP

3072:v6glyuxE4GsUPnliByocWepXKD0/9Wy1Og/ZK99r:v6gDBGpvEByocWehKD0/EWfg3

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (610) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

6775.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation 6775.tmp
Deletes itself 1 IoCs

Processes:

6775.tmp

pid process

2036 6775.tmp
Executes dropped EXE 1 IoCs

Processes:

6775.tmp

pid process

2036 6775.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	6775.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

Document.doc.scr

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1132431369-515282257-1998160155-1000\desktop.ini	Document.doc.scr
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1132431369-515282257-1998160155-1000\desktop.ini	Document.doc.scr

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPyx5npff3_pty2ftmk8dvukfp.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP98c8y6beyp4sb7j6kpd74inxd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPq9igtviv5z5cwj1eqitqob46d.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Document.doc.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\te8ZzuVLn.bmp"	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\te8ZzuVLn.bmp"	Document.doc.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Document.doc.scr6775.tmp

pid process

1524 Document.doc.scr
1524 Document.doc.scr
1524 Document.doc.scr
1524 Document.doc.scr
2036 6775.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\WallpaperStyle = "10"	Document.doc.scr

Modifies registry class 5 IoCs

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.te8ZzuVLn	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.te8ZzuVLn\ = "te8ZzuVLn"	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\te8ZzuVLn\DefaultIcon	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\te8ZzuVLn	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\te8ZzuVLn\DefaultIcon\ = "C:\\ProgramData\\te8ZzuVLn.ico"	Document.doc.scr

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Document.doc.scr

pid	process
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr
1524	Document.doc.scr

Suspicious behavior: RenamesItself 26 IoCs

Processes:

6775.tmp

pid	process
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp
2036	6775.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Document.doc.scr

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeDebugPrivilege	1524	Document.doc.scr
Token: 36	1524	Document.doc.scr
Token: SeImpersonatePrivilege	1524	Document.doc.scr
Token: SeIncBasePriorityPrivilege	1524	Document.doc.scr
Token: SeIncreaseQuotaPrivilege	1524	Document.doc.scr
Token: 33	1524	Document.doc.scr
Token: SeManageVolumePrivilege	1524	Document.doc.scr
Token: SeProfSingleProcessPrivilege	1524	Document.doc.scr
Token: SeRestorePrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeSystemProfilePrivilege	1524	Document.doc.scr
Token: SeTakeOwnershipPrivilege	1524	Document.doc.scr
Token: SeShutdownPrivilege	1524	Document.doc.scr
Token: SeDebugPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeBackupPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr
Token: SeSecurityPrivilege	1524	Document.doc.scr

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
2980	ONENOTE.EXE
2980	ONENOTE.EXE
2980	ONENOTE.EXE
2980	ONENOTE.EXE
2980	ONENOTE.EXE
2980	ONENOTE.EXE
2980	ONENOTE.EXE
2980	ONENOTE.EXE
2980	ONENOTE.EXE
2980	ONENOTE.EXE
2980	ONENOTE.EXE
2980	ONENOTE.EXE
2980	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Document.doc.scrprintfilterpipelinesvc.exe6775.tmp

description	pid	process	target process
PID 1524 wrote to memory of 3620	1524	Document.doc.scr	splwow64.exe
PID 1524 wrote to memory of 3620	1524	Document.doc.scr	splwow64.exe
PID 3872 wrote to memory of 2980	3872	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 3872 wrote to memory of 2980	3872	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 1524 wrote to memory of 2036	1524	Document.doc.scr	6775.tmp
PID 1524 wrote to memory of 2036	1524	Document.doc.scr	6775.tmp
PID 1524 wrote to memory of 2036	1524	Document.doc.scr	6775.tmp
PID 1524 wrote to memory of 2036	1524	Document.doc.scr	6775.tmp
PID 2036 wrote to memory of 3372	2036	6775.tmp	cmd.exe
PID 2036 wrote to memory of 3372	2036	6775.tmp	cmd.exe
PID 2036 wrote to memory of 3372	2036	6775.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Document.doc.scr
"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:3620

C:\ProgramData\6775.tmp
"C:\ProgramData\6775.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6775.tmp >> NUL
3⤵
PID:3372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4600

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3872

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B25EEBB4-86E1-4458-829A-4726F5601C22}.xps" 133585005971370000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1132431369-515282257-1998160155-1000\desktop.ini
Filesize
129B

MD5
64672649c86a19495b82f21796477f6a

SHA1
4d96fb867a8ce30aeddeee20a5e829432770186d

SHA256
4f773b76e504344241a7ef56e5fa36acc490b67b209dda0b32fed7a475ff0fde

SHA512
941a0b5b805560daec1722872582b8b7f6f20c09165bcce3502215b47e5d3a0ee2b6c65c7b6c327c883009d1b1e53ebd8f422a08488c70d73845eeb9a9aa47d2

Download Submit
C:\ProgramData\6775.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDD
Filesize
194KB

MD5
e3042a59dbdf1e18e1217173f93ac25a

SHA1
dbfd0a907601dee0b34b4e0d0219a4bc59547bda

SHA256
5e53adc1c894b2bd3b4d7a0f6bf3924b13aaa6c3a4326b01f3cf16e5f0e3e937

SHA512
06026dc65e6c7c5bdc3ea5607a0c35f1360fbce9aa7aea9862eddd6c531d2d08fe6cdd8aabf057908a01330180c0b146f301e43ca96e23dc4c4fc4e8abafd649

Download Submit
C:\Users\Admin\AppData\Local\Temp\{026F6FB3-3F13-4011-B790-0BA45726AE51}
Filesize
4KB

MD5
25ca16823ffc13b0ee384bc960d8e472

SHA1
1b6ed010b458730819079879fa33befe46c3a58f

SHA256
d24a98d5d36d031b729d07177f927c3e62eeffd22ccad1ae3e40065a368400c5

SHA512
c146d2c3f59280ae776be20dc862806a9f9817e858d3e917c285711164e437faf68d3be1da9369c76aa5a0f67efb130447a13155e224abe48456b5d2a3696168

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
Filesize
4KB

MD5
ee564b1142bb23e7a312204bc33d62b7

SHA1
04531c371229198ee9447bc805d6e76a56472084

SHA256
afc02da04e23a3535cabfd0ef519e744e3e49b1bb7f4a1774a8ca9cd21084614

SHA512
4fcebf8da3f8dd58518543cb42f4d683c9207d15939cd6302ecca5c6e88e813c7e9e4c875c6cef73625ac9cbdeb7e6000a5fba170f00dc0a3b2879d3c0d9dd73

Download Submit
C:\te8ZzuVLn.README.txt
Filesize
434B

MD5
ad29bd8c66e114ff57c943d16c78f72a

SHA1
5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

SHA256
6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

SHA512
a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1132431369-515282257-1998160155-1000\DDDDDDDDDDD
Filesize
129B

MD5
6523ca70962fcef3fa2a654847de3d75

SHA1
d842d5af1d88075d127e11a5893937e57ecf1883

SHA256
6a164699420be2f65e4844569ded1d64224c7af77ef2e995a43b49be91676b80

SHA512
7799d6a0734e015743ab9edb15d3f4296c341fbe8589a175cbb03475bb792b38a7bfb0aa9b76f90d47243b7a3b80693b95c1956b2d5dc14289a50e687f9afcca

Download Submit
memory/1524-1-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

Filesize
64KB

Download
memory/1524-0-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

Filesize
64KB

Download
memory/2036-2793-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Filesize
4KB

Download
memory/2036-2804-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/2036-2798-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/2036-2794-0x000000007FE00000-0x000000007FE01000-memory.dmp

Filesize
4KB

Download
memory/2036-2800-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2036-2801-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2036-2803-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/2980-2805-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2814-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2802-0x00007FF8D4FD0000-0x00007FF8D4FE0000-memory.dmp

Filesize
64KB

Download
memory/2980-2799-0x00007FF8D4FD0000-0x00007FF8D4FE0000-memory.dmp

Filesize
64KB

Download
memory/2980-2797-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2806-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2807-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2809-0x00007FF8D29C0000-0x00007FF8D29D0000-memory.dmp

Filesize
64KB

Download
memory/2980-2808-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2811-0x00007FF8D29C0000-0x00007FF8D29D0000-memory.dmp

Filesize
64KB

Download
memory/2980-2812-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2813-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2810-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2796-0x00007FF8D4FD0000-0x00007FF8D4FE0000-memory.dmp

Filesize
64KB

Download
memory/2980-2815-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2816-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2817-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2818-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2820-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2819-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2821-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2823-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2795-0x00007FF8D4FD0000-0x00007FF8D4FE0000-memory.dmp

Filesize
64KB

Download
memory/2980-2764-0x00007FF8D4FD0000-0x00007FF8D4FE0000-memory.dmp

Filesize
64KB

Download
memory/2980-2847-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download
memory/2980-2848-0x00007FF914F50000-0x00007FF915145000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads