modiloader | 01f7a3f82659bdaeb7a73cc3e89d4e5811cfdfea310ebf0046ed8941528af012

Analysis

max time kernel
173s
max time network
202s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dde5e18-6e34-1b34-eaa0-079990e458a6.eml
Size

967KB
MD5

f63ac0612acff6b62831f2cbe05a745b
SHA1

f3ed7e7b086968230215025a03aa917706618cd2
SHA256

01f7a3f82659bdaeb7a73cc3e89d4e5811cfdfea310ebf0046ed8941528af012
SHA512

9448681f18f2688092c375a0a374d2eedbb769f781f4b117284e7d8b71122c7bc0cb885b83ecf7ef085196b2f67a2e6b8ae79b448f3bef11fbcc265544a5df0a
SSDEEP

24576:3Xgjow3XdMAOGoJHHCu9I0AeMkq1qE+D/DIPFYIcySSgVya:3Xm3O53L5E+DcSSq

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 59 IoCs

resource	yara_rule
behavioral1/memory/1644-253-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-256-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-257-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-260-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-262-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-255-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-263-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-270-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-258-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-259-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-276-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-280-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-283-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-286-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-289-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-292-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-296-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-299-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-302-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-305-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-308-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-311-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-314-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-317-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-320-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-323-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-327-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-331-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-334-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-268-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-269-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-272-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-274-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-265-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-277-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-281-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-284-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-287-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-290-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-295-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-298-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-293-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-300-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-304-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-307-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-312-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-315-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-318-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-321-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-324-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-326-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-329-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-332-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-335-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-266-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-271-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-282-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-278-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-275-0x0000000003390000-0x0000000004390000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1644	x.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
9	drive.google.com

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 505a42884504db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C54F6911-7038-11EF-A0D9-6E295C7D81A3} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\NotifyDownloadComplete = "yes"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063086-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\ = "_OlkBusinessCardControl"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\ = "AddressEntries"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\ = "_ViewsEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ = "_DRecipientControlEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063097-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ = "UserProperties"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\ = "OlkControl"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\ = "_AppointmentItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\RYPUCSXI\PO BQ87574746.GZ:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\RYPUCSXI\PO BQ87574746 (2).GZ\:Zone.Identifier:$DATA	OUTLOOK.EXE
File created	C:\Users\Admin\Desktop\PO BQ87574746.GZ\:Zone.Identifier:$DATA	OUTLOOK.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2720	OUTLOOK.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1644	x.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2720	OUTLOOK.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2920	7zG.exe
Token: 35	2920	7zG.exe
Token: SeSecurityPrivilege	2920	7zG.exe
Token: SeSecurityPrivilege	2920	7zG.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2720	OUTLOOK.EXE
2372	iexplore.exe
2372	iexplore.exe
2372	iexplore.exe
2372	iexplore.exe
2372	iexplore.exe
2920	7zG.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2372	iexplore.exe
2372	iexplore.exe
600	IEXPLORE.EXE
600	IEXPLORE.EXE
2372	iexplore.exe
2372	iexplore.exe
600	IEXPLORE.EXE
600	IEXPLORE.EXE
2720	OUTLOOK.EXE
2720	OUTLOOK.EXE
2372	iexplore.exe
2372	iexplore.exe
600	IEXPLORE.EXE
600	IEXPLORE.EXE
2720	OUTLOOK.EXE
2476	AcroRd32.exe
2476	AcroRd32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2116	2720	OUTLOOK.EXE	30
PID 2720 wrote to memory of 2116	2720	OUTLOOK.EXE	30
PID 2720 wrote to memory of 2116	2720	OUTLOOK.EXE	30
PID 2720 wrote to memory of 2116	2720	OUTLOOK.EXE	30
PID 2720 wrote to memory of 2116	2720	OUTLOOK.EXE	30
PID 2720 wrote to memory of 2116	2720	OUTLOOK.EXE	30
PID 2720 wrote to memory of 2116	2720	OUTLOOK.EXE	30
PID 2116 wrote to memory of 2372	2116	rundll32.exe	31
PID 2116 wrote to memory of 2372	2116	rundll32.exe	31
PID 2116 wrote to memory of 2372	2116	rundll32.exe	31
PID 2116 wrote to memory of 2372	2116	rundll32.exe	31
PID 2372 wrote to memory of 600	2372	iexplore.exe	32
PID 2372 wrote to memory of 600	2372	iexplore.exe	32
PID 2372 wrote to memory of 600	2372	iexplore.exe	32
PID 2372 wrote to memory of 600	2372	iexplore.exe	32
PID 2372 wrote to memory of 2304	2372	iexplore.exe	34
PID 2372 wrote to memory of 2304	2372	iexplore.exe	34
PID 2372 wrote to memory of 2304	2372	iexplore.exe	34
PID 2720 wrote to memory of 3024	2720	OUTLOOK.EXE	35
PID 2720 wrote to memory of 3024	2720	OUTLOOK.EXE	35
PID 2720 wrote to memory of 3024	2720	OUTLOOK.EXE	35
PID 2720 wrote to memory of 3024	2720	OUTLOOK.EXE	35
PID 1056 wrote to memory of 2476	1056	rundll32.exe	41
PID 1056 wrote to memory of 2476	1056	rundll32.exe	41
PID 1056 wrote to memory of 2476	1056	rundll32.exe	41
PID 1056 wrote to memory of 2476	1056	rundll32.exe	41
PID 2320 wrote to memory of 2336	2320	cmd.exe	45
PID 2320 wrote to memory of 2336	2320	cmd.exe	45
PID 2320 wrote to memory of 2336	2320	cmd.exe	45
PID 2320 wrote to memory of 1644	2320	cmd.exe	46
PID 2320 wrote to memory of 1644	2320	cmd.exe	46
PID 2320 wrote to memory of 1644	2320	cmd.exe	46
PID 2320 wrote to memory of 1644	2320	cmd.exe	46

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\4dde5e18-6e34-1b34-eaa0-079990e458a6.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\RYPUCSXI\PO BQ87574746.GZ
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\RYPUCSXI\PO BQ87574746.GZ
    3⤵
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:600
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\RYPUCSXI\PO BQ87574746.GZ
      4⤵
      PID:2304
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\RYPUCSXI\PO BQ87574746.GZ
  2⤵
  PID:3024

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:2892

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\PO BQ87574746\" -ad -an -ai#7zMap13374:82:7zEvent25903
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2920

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\PO BQ87574746\______________________
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\PO BQ87574746\______________________"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2476

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\PO BQ87574746\RFQ_PO94837564_HG8390_BQ3873.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\system32\extrac32.exe
  extrac32 /y "C:\Users\Admin\Desktop\PO BQ87574746\RFQ_PO94837564_HG8390_BQ3873.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
  2⤵
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\x.exe
  "C:\Users\Admin\AppData\Local\Temp\x.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1644

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\PO BQ87574746\RFQ_PO94837564_HG8390_BQ3873.cmd" "
1⤵
PID:2204
- C:\Windows\system32\extrac32.exe
  extrac32 /y "C:\Users\Admin\Desktop\PO BQ87574746\RFQ_PO94837564_HG8390_BQ3873.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
  2⤵
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
2648d8dbe953fe37208cf4c8f5bc43e9

SHA1
5b188bf9a95b95c8d804d759899f0920405c31c3

SHA256
138c6d030d5307b74f34e73b0197b630c9ce08526abaa97f4db9607ec73f94a8

SHA512
fb775296d869d9a7d6c4e8084e905c7552adc89a5d493368705225cedfd33e279b529655372e989c9fe6ba78feca285b7a54f9bad05405bf45901a958d040d04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\RYPUCSXI\PO BQ87574746.GZ

Filesize
691KB

MD5
517158b1ede9e665f1dcc335b21a70a7

SHA1
b22b48ea6962fbe9aad860d88f745b7f6b9a58a4

SHA256
71dd2b89c1fda9ae7aa0ab2e7d44c1df68de978125a4b39a7872f34e70afe21e

SHA512
f38b1d01922db606bd532793afa6b1349c41ab502c68e658692913024e4e72cf37d8007dd027816a29715ec41b2601eaf23ecc52b068b08d3924f2fffbf7508d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
1.4MB

MD5
80af31738540a39d155b1a1e942d33d1

SHA1
8d34507800d4e01009a1d0c5af13b25f1fc47ef1

SHA256
64ffdb4b728b4294d68b8a979dce1ea056673600da33bf6717feb3475b043e20

SHA512
0f76035a72c06003a6d4f9fc4106d999158cf00de1656641f3c7f7054a5aa2897ee07934c3222121c66047de5398161884f2551830e89a6f35d19f656f06b0e3

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
6a2f0e58370ff4c70344c129ad3a74e7

SHA1
1511677f9a078306258199f6160983e948690672

SHA256
5df31c72d09c12a928486ca9470dbaa3e61d83ef5dc20d6bfb3fc54f46f3e95a

SHA512
36fa37258f852bf39e110409931a1692039656b7ddea21af346487eeda54838051805bcb28d90e6efb42a1641de41281b4b5e02b07cea7273f80cd149889698f

Download Submit
C:\Users\Admin\Desktop\PO BQ87574746.GZ:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Desktop\PO BQ87574746\RFQ_PO94837564_HG8390_BQ3873.cmd

Filesize
1.4MB

MD5
64b1d9d05033c73c4920072edf9b035a

SHA1
2a6b96e4bbcc7b11862d5c440339ddd2b03cc82e

SHA256
75ee016e7fbb2b54488be19c17661209f577bb3d626acf79f425e724c26d9329

SHA512
597d0a104cd5785964931abafffecd5f001aee24cc5dc92c56ad92131e432bb06e93493db88d448ad3e07ec943d080a78e282555647ea498f975b71930e04d2a

Download Submit
C:\Users\Admin\Desktop\PO BQ87574746\______________________

Filesize
6B

MD5
59a7e34db94beaca5874abd128ed59f6

SHA1
26b8be3623a3bf6508337b423b05792bffb9c0e4

SHA256
b7ffe04dedbfc786f2bf49e4812fbd07555ad4ef39b57eca2a7778bf57399342

SHA512
d8c81ac116586ac0c6e0c22a9a5469ffb7e0e774b6895ec3c7cd31189164980bad37a252b4152a798d9c8791925de338a433578652dd2c490051186501ed2f0f

Download Submit
memory/1644-327-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-259-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-256-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-257-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-260-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-262-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-255-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-263-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-270-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-258-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-269-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-261-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1644-276-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-280-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-283-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-286-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-289-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-292-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-296-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-299-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-302-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-305-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-308-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-311-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-314-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-317-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-320-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-323-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-251-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-331-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-334-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-278-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-253-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-272-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-274-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-265-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-277-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-281-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-284-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-287-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-290-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-295-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-298-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-293-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-300-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-304-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-307-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-312-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-315-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-318-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-321-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-324-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-326-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-329-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-332-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-335-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-266-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-271-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-282-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-268-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/1644-275-0x0000000003390000-0x0000000004390000-memory.dmp

Filesize
16.0MB

Download
memory/2720-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2720-1-0x0000000073A5D000-0x0000000073A68000-memory.dmp

Filesize
44KB

Download
memory/2720-206-0x0000000008BC0000-0x0000000008BC2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads