6f640c50c4995890bb6f4243695caed28b7907d244800526fac18747a6766b05

General

Target

Document.doc.scr
Size

194KB
MD5

ae811bd6440b425e6777f0ca001a9743
SHA1

70902540ead269971e149eaff568fb17d04156af
SHA256

86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498
SHA512

3617d8e77c221525125778cf64f2525136f7958766f5bed0fd7bfe00e7f738017d2840972acc628e4c3471b93cf6d52ccd619f49bdbbcff824c12cac8e1ea88e
SSDEEP

3072:a6glyuxE4GsUPnliByocWepiHkZmlkQIQP6fo:a6gDBGpvEByocWeQwLAPm

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (616) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

6850.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 6850.tmp
Deletes itself 1 IoCs

Processes:

6850.tmp

pid process

2248 6850.tmp
Executes dropped EXE 1 IoCs

Processes:

6850.tmp

pid process

2248 6850.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	6850.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

Document.doc.scr

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4084619521-2220719027-1909462854-1000\desktop.ini	Document.doc.scr
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4084619521-2220719027-1909462854-1000\desktop.ini	Document.doc.scr

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPolv3upc05b57uyhaul9_6s84d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPurcun58njwe4c5eeq2i9gu8qc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPwnza2q4kr9tgf7tk1kd1gz3kd.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Document.doc.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\kZd6jLIwz.bmp"	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\kZd6jLIwz.bmp"	Document.doc.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Document.doc.scr6850.tmp

pid process

1936 Document.doc.scr
1936 Document.doc.scr
1936 Document.doc.scr
1936 Document.doc.scr
2248 6850.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\WallpaperStyle = "10"	Document.doc.scr

Modifies registry class 5 IoCs

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kZd6jLIwz	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.kZd6jLIwz\ = "kZd6jLIwz"	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kZd6jLIwz\DefaultIcon	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kZd6jLIwz	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kZd6jLIwz\DefaultIcon\ = "C:\\ProgramData\\kZd6jLIwz.ico"	Document.doc.scr

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid process

1644 ONENOTE.EXE
1644 ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Document.doc.scr

pid	process
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr
1936	Document.doc.scr

Suspicious behavior: RenamesItself 26 IoCs

Processes:

6850.tmp

pid	process
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp
2248	6850.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Document.doc.scr

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeDebugPrivilege	1936	Document.doc.scr
Token: 36	1936	Document.doc.scr
Token: SeImpersonatePrivilege	1936	Document.doc.scr
Token: SeIncBasePriorityPrivilege	1936	Document.doc.scr
Token: SeIncreaseQuotaPrivilege	1936	Document.doc.scr
Token: 33	1936	Document.doc.scr
Token: SeManageVolumePrivilege	1936	Document.doc.scr
Token: SeProfSingleProcessPrivilege	1936	Document.doc.scr
Token: SeRestorePrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeSystemProfilePrivilege	1936	Document.doc.scr
Token: SeTakeOwnershipPrivilege	1936	Document.doc.scr
Token: SeShutdownPrivilege	1936	Document.doc.scr
Token: SeDebugPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeBackupPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr
Token: SeSecurityPrivilege	1936	Document.doc.scr

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

ONENOTE.EXE

pid	process
1644	ONENOTE.EXE
1644	ONENOTE.EXE
1644	ONENOTE.EXE
1644	ONENOTE.EXE
1644	ONENOTE.EXE
1644	ONENOTE.EXE
1644	ONENOTE.EXE
1644	ONENOTE.EXE
1644	ONENOTE.EXE
1644	ONENOTE.EXE
1644	ONENOTE.EXE
1644	ONENOTE.EXE
1644	ONENOTE.EXE
1644	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Document.doc.scrprintfilterpipelinesvc.exe6850.tmp

description	pid	process	target process
PID 1936 wrote to memory of 3628	1936	Document.doc.scr	splwow64.exe
PID 1936 wrote to memory of 3628	1936	Document.doc.scr	splwow64.exe
PID 3320 wrote to memory of 1644	3320	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 3320 wrote to memory of 1644	3320	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 1936 wrote to memory of 2248	1936	Document.doc.scr	6850.tmp
PID 1936 wrote to memory of 2248	1936	Document.doc.scr	6850.tmp
PID 1936 wrote to memory of 2248	1936	Document.doc.scr	6850.tmp
PID 1936 wrote to memory of 2248	1936	Document.doc.scr	6850.tmp
PID 2248 wrote to memory of 2532	2248	6850.tmp	cmd.exe
PID 2248 wrote to memory of 2532	2248	6850.tmp	cmd.exe
PID 2248 wrote to memory of 2532	2248	6850.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Document.doc.scr
"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:3628

C:\ProgramData\6850.tmp
"C:\ProgramData\6850.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6850.tmp >> NUL
3⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:552

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3320

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{3EB60AF5-B7F9-477A-9029-7E99B5713BDA}.xps" 133585329973390000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4084619521-2220719027-1909462854-1000\CCCCCCCCCCC
Filesize
129B

MD5
2726f78eb4531e41a196ec9a38683a72

SHA1
e65746074460ad001370146a1bb27d5c7f8ea1a1

SHA256
8472758c931ae10eadec8c36a40380c664c639d108e568e1d95dad91e46f0763

SHA512
47d2c2071026de13cd256ad4cd18327cbc88f24183911ee309de1433622e762a85ca6350e6e8a44a3bae43247a03363bf29dcb6d3885eb9f53875bec5a265976

Download Submit
C:\ProgramData\6850.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDD
Filesize
194KB

MD5
892bede212bbaae35e828c324938fa54

SHA1
cc11ee1e84bdb92104cb2bd1d222596136716e9a

SHA256
4b7e08e799ef93af51e4a8343dd90ce072507f7547cfcd500b95df826a0a0f30

SHA512
2dba7d9c488e7e704a2457aa14a9a5ee900bd7fe1f9eabcbe15a9769213302f930fda7690b1af757d50a86b8bfd9a84761074ed04737ac1eced1214bd184cee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4B8A25E5-40BA-4C9E-94A2-8CD6A3474245}
Filesize
4KB

MD5
b9c8e5a9addea756d77f499a9be9c24d

SHA1
5207a1d0eefef29eec541a59e222f2cc31279ac4

SHA256
28a31b6e9a40e5909bd6d555c497d06b5e3fe9cdc10ffcf3915d739afdca22d5

SHA512
ac67497b617c87d6ad9035272e226ec9b6ab02af14dcd52e13c1308cbb73c19a11b292918cb344559ea1f556325be9e0c716362694b1152f70d4dbe51b9a83f7

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
Filesize
4KB

MD5
621e9a5463337e81c3530846ba589f28

SHA1
2ddb9edd981388776bef9adefbf3ca8a6b9a9c4a

SHA256
99093feb5a5741dd07405a9e41002930923abef6cf70ce1f118fb51da8c8ad5f

SHA512
2d776dc9d03e9d487ccad66cc268caa73521d17b7d16bf8404ff30d513cc01d274f8b0adc5a39b59eb50008af9f778da74666f965d440534b13a57626a2e0505

Download Submit
C:\kZd6jLIwz.README.txt
Filesize
449B

MD5
c2f46db865b0ba6ef8f9385cf458a56e

SHA1
0b2f94fcf38ef15f59bb86a3296b7da514b4ac4e

SHA256
c25759e6083dd4bf592a6da2063c45def5adc9a6ef2ed15820128a0d838f70fe

SHA512
9927b209ca26e3243fac9f003c6af7663ba84405346fbdb66c6f401387cd20ea3f99d63d0858ebdc76f2e6bc722d41e2a1f599bc6f7d97b0687dba95dea31b39

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4084619521-2220719027-1909462854-1000\DDDDDDDDDDD
Filesize
129B

MD5
b2925b63ba72ba6b20cacd5b18e27f76

SHA1
cce990dc15864ca353e0daf6dfe39a25cb27ad8d

SHA256
5b65c999bb378f3938831b41d969ec78561668de87942e583730c9d23e901b83

SHA512
1276cfa84d54124fcde2069e55f5467db85d02cffe99c14d76e1cee5505be4748ff58ac0273dc8b46947e661cf592f3824f934a067952c4eb61cae951eee45d1

Download Submit
memory/1644-2811-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/1644-2819-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2807-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/1644-2808-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2810-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2809-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/1644-2871-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2872-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2869-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/1644-2816-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/1644-2870-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2818-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2868-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/1644-2867-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/1644-2820-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2822-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2821-0x00007FF92B790000-0x00007FF92B7A0000-memory.dmp

Filesize
64KB

Download
memory/1644-2806-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2823-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2824-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2826-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2825-0x00007FF92B790000-0x00007FF92B7A0000-memory.dmp

Filesize
64KB

Download
memory/1644-2827-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2828-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/1644-2777-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/1644-2866-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/1936-1-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

Filesize
64KB

Download
memory/1936-0-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

Filesize
64KB

Download
memory/2248-2812-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/2248-2817-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/2248-2815-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/2248-2813-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/2248-2814-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads