9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00

General

Target

9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
Size

76KB
MD5

6837c99ab4aad2a81b42165194ab5ea0
SHA1

5240c3538e1aedbd29e6a927f3d7ca258805fbca
SHA256

9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00
SHA512

dc5fa9ede53098bb386e5f96a9cb530509771e977210475270dbaa705c128079e8d3bb404d6eb5ad027117ba3cd7c5ceada9447a1e1333cf59e7f2c0a654216c
SSDEEP

1536:v70ak+ddygXAyy9v7Z+NoykJHBOAFRfBjG3ldoI0:T0aXdfXAyy9DZ+N7eB+II0

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

SPOOLSV.EXESVCHOST.EXESVCHOST.EXE9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

SPOOLSV.EXESVCHOST.EXESVCHOST.EXE9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

SPOOLSV.EXESVCHOST.EXESVCHOST.EXE9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe

Executes dropped EXE 12 IoCs

Processes:

SVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXE

pid	process
2720	SVCHOST.EXE
2888	SVCHOST.EXE
2636	SVCHOST.EXE
2668	SVCHOST.EXE
2428	SVCHOST.EXE
1844	SPOOLSV.EXE
496	SVCHOST.EXE
2360	SVCHOST.EXE
2544	SPOOLSV.EXE
1744	SPOOLSV.EXE
2288	SVCHOST.EXE
1920	SPOOLSV.EXE

Loads dropped DLL 21 IoCs

Processes:

9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXE

pid	process
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe

description	ioc	process
File opened for modification	C:\Recycled\desktop.ini	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened for modification	F:\Recycled\desktop.ini	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exeSVCHOST.EXESPOOLSV.EXESVCHOST.EXE

description	ioc	process
File opened (read-only)	\??\X:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\N:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\Y:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\G:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\H:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\I:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\K:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\O:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\R:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\U:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\L:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\T:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\J:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\P:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\E:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\M:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\S:	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\J:	SVCHOST.EXE

Drops file in Windows directory 6 IoCs

Processes:

9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXEWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Fonts\ Explorer.exe	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SPOOLSV.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SVCHOST.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXEWINWORD.EXE9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exeSPOOLSV.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 28 IoCs

Processes:

SVCHOST.EXE9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exeSVCHOST.EXESPOOLSV.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

3056 WINWORD.EXE

pid	process
3056	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SVCHOST.EXESVCHOST.EXE9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exeSPOOLSV.EXE

pid	process
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2636	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
2720	SVCHOST.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE
1844	SPOOLSV.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXEWINWORD.EXE

pid	process
1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
2720	SVCHOST.EXE
2888	SVCHOST.EXE
2636	SVCHOST.EXE
2668	SVCHOST.EXE
2428	SVCHOST.EXE
1844	SPOOLSV.EXE
496	SVCHOST.EXE
2360	SVCHOST.EXE
2544	SPOOLSV.EXE
1744	SPOOLSV.EXE
2288	SVCHOST.EXE
1920	SPOOLSV.EXE
3056	WINWORD.EXE
3056	WINWORD.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXEWINWORD.EXE

description	pid	process	target process
PID 1700 wrote to memory of 2720	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	SVCHOST.EXE
PID 1700 wrote to memory of 2720	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	SVCHOST.EXE
PID 1700 wrote to memory of 2720	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	SVCHOST.EXE
PID 1700 wrote to memory of 2720	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	SVCHOST.EXE
PID 2720 wrote to memory of 2888	2720	SVCHOST.EXE	SVCHOST.EXE
PID 2720 wrote to memory of 2888	2720	SVCHOST.EXE	SVCHOST.EXE
PID 2720 wrote to memory of 2888	2720	SVCHOST.EXE	SVCHOST.EXE
PID 2720 wrote to memory of 2888	2720	SVCHOST.EXE	SVCHOST.EXE
PID 2720 wrote to memory of 2636	2720	SVCHOST.EXE	SVCHOST.EXE
PID 2720 wrote to memory of 2636	2720	SVCHOST.EXE	SVCHOST.EXE
PID 2720 wrote to memory of 2636	2720	SVCHOST.EXE	SVCHOST.EXE
PID 2720 wrote to memory of 2636	2720	SVCHOST.EXE	SVCHOST.EXE
PID 2636 wrote to memory of 2668	2636	SVCHOST.EXE	SVCHOST.EXE
PID 2636 wrote to memory of 2668	2636	SVCHOST.EXE	SVCHOST.EXE
PID 2636 wrote to memory of 2668	2636	SVCHOST.EXE	SVCHOST.EXE
PID 2636 wrote to memory of 2668	2636	SVCHOST.EXE	SVCHOST.EXE
PID 2636 wrote to memory of 2428	2636	SVCHOST.EXE	SVCHOST.EXE
PID 2636 wrote to memory of 2428	2636	SVCHOST.EXE	SVCHOST.EXE
PID 2636 wrote to memory of 2428	2636	SVCHOST.EXE	SVCHOST.EXE
PID 2636 wrote to memory of 2428	2636	SVCHOST.EXE	SVCHOST.EXE
PID 2636 wrote to memory of 1844	2636	SVCHOST.EXE	SPOOLSV.EXE
PID 2636 wrote to memory of 1844	2636	SVCHOST.EXE	SPOOLSV.EXE
PID 2636 wrote to memory of 1844	2636	SVCHOST.EXE	SPOOLSV.EXE
PID 2636 wrote to memory of 1844	2636	SVCHOST.EXE	SPOOLSV.EXE
PID 1844 wrote to memory of 496	1844	SPOOLSV.EXE	SVCHOST.EXE
PID 1844 wrote to memory of 496	1844	SPOOLSV.EXE	SVCHOST.EXE
PID 1844 wrote to memory of 496	1844	SPOOLSV.EXE	SVCHOST.EXE
PID 1844 wrote to memory of 496	1844	SPOOLSV.EXE	SVCHOST.EXE
PID 1844 wrote to memory of 2360	1844	SPOOLSV.EXE	SVCHOST.EXE
PID 1844 wrote to memory of 2360	1844	SPOOLSV.EXE	SVCHOST.EXE
PID 1844 wrote to memory of 2360	1844	SPOOLSV.EXE	SVCHOST.EXE
PID 1844 wrote to memory of 2360	1844	SPOOLSV.EXE	SVCHOST.EXE
PID 1844 wrote to memory of 2544	1844	SPOOLSV.EXE	SPOOLSV.EXE
PID 1844 wrote to memory of 2544	1844	SPOOLSV.EXE	SPOOLSV.EXE
PID 1844 wrote to memory of 2544	1844	SPOOLSV.EXE	SPOOLSV.EXE
PID 1844 wrote to memory of 2544	1844	SPOOLSV.EXE	SPOOLSV.EXE
PID 2720 wrote to memory of 1744	2720	SVCHOST.EXE	SPOOLSV.EXE
PID 2720 wrote to memory of 1744	2720	SVCHOST.EXE	SPOOLSV.EXE
PID 2720 wrote to memory of 1744	2720	SVCHOST.EXE	SPOOLSV.EXE
PID 2720 wrote to memory of 1744	2720	SVCHOST.EXE	SPOOLSV.EXE
PID 1700 wrote to memory of 2288	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	SVCHOST.EXE
PID 1700 wrote to memory of 2288	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	SVCHOST.EXE
PID 1700 wrote to memory of 2288	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	SVCHOST.EXE
PID 1700 wrote to memory of 2288	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	SVCHOST.EXE
PID 1700 wrote to memory of 1920	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	SPOOLSV.EXE
PID 1700 wrote to memory of 1920	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	SPOOLSV.EXE
PID 1700 wrote to memory of 1920	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	SPOOLSV.EXE
PID 1700 wrote to memory of 1920	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	SPOOLSV.EXE
PID 1700 wrote to memory of 3056	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	WINWORD.EXE
PID 1700 wrote to memory of 3056	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	WINWORD.EXE
PID 1700 wrote to memory of 3056	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	WINWORD.EXE
PID 1700 wrote to memory of 3056	1700	9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe	WINWORD.EXE
PID 3056 wrote to memory of 2688	3056	WINWORD.EXE	splwow64.exe
PID 3056 wrote to memory of 2688	3056	WINWORD.EXE	splwow64.exe
PID 3056 wrote to memory of 2688	3056	WINWORD.EXE	splwow64.exe
PID 3056 wrote to memory of 2688	3056	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
"C:\Users\Admin\AppData\Local\Temp\9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2888
- - F:\recycled\SVCHOST.EXE
    F:\recycled\SVCHOST.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2668
  - - F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2428
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:496
    - - F:\recycled\SVCHOST.EXE
        
        F:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2360
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1744
- F:\recycled\SVCHOST.EXE
  F:\recycled\SVCHOST.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2288
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1920
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.doc"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
76KB

MD5
50dbceaf77d5af8505a749fc78b46f06

SHA1
d4d4f202d2843d6b93dc84d8b5e00f1b1081583d

SHA256
2d26923245a7698a08ba2b924c787c4f09fd9039c1e9ac73004361fba15999ec

SHA512
385d9f5d0ac47495503a6113adac1190d5f28ec1f6394100ba15d5061bea5bdc58036530f2a9ed44570347c3b4841131a8fd29269537d62e2697e2990205cb9b

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
76KB

MD5
c48e68e2938d4f0878c7201acc3801c0

SHA1
caaacdd516de819e0a2b763e580c2a4fbd509607

SHA256
8fae74854b385bfc43bceeba75b4e62e1fd8ae751463958ba504110000bb9f6d

SHA512
e42f14aa69fc49e3cc1b5bbcbccdce9f26bd0fcd79b1b1d93c2fa1a9bb1f4200a94cc0e6b1be09257e7994f5c535b38249db93bdbb7b53a7c930b6bd64d9503b

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
F:\Recycled\SVCHOST.EXE

Filesize
76KB

MD5
bdae54ab011b04fd9328450b3b60993e

SHA1
91fcbc02fbb263303f3ee1f16abfb74f7f53fcf6

SHA256
22cb087ed331675a3a1d7028c3aee36885fb8e12818d501b6a04965fb902e732

SHA512
8005559b331691594511b1d9b94c1a9002ea7cad4f3aac2d3fbc7ec5b3b108ee4dfea3b6bdc10b5c27ca7d89e10f63925ce97e3737f35a2b5ee30b28210f10dc

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
76KB

MD5
7df72b33793910616e0d66ed7c2bb8c7

SHA1
56a64cf7a7b5dabce72d6f27aeaf4e479195ed70

SHA256
7aeaa09b16390b65d5df45307b69e779bd03696652c76861ac884225bfeec7a3

SHA512
c03cacafbc6706ffd952d9b0d4454952855f1a606dfc13fdb7ae0bb3d233ca217e5001edc3136f1c42aca1b4aa543af047cb923609fc3195920ed7c9b46734c0

Download Submit
\Recycled\SVCHOST.EXE

Filesize
76KB

MD5
1e301ce3843677216f4ff97573670075

SHA1
be8e44914f2b8f0028d49b603305a0c8c8131f2c

SHA256
dec1fc5ecb01c47d79b1aaa777cdc7be0571f25d09332521794b00adcce8ab68

SHA512
0369a7318bc7b8f0c56fd73f5cbe80e6f37801cd89946968d3a2357eab9800b5ea419e73d0adb0f9712647c724dbdd8236b6c838feffe1765a6bb6eecd3f5840

Download Submit
memory/496-82-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1700-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1700-115-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1700-113-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/1700-23-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/1700-24-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/1744-100-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1844-178-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1844-78-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/1844-77-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/1844-182-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/1920-112-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2288-109-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2360-85-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2360-90-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2428-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2544-91-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2544-94-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2636-59-0x0000000000520000-0x000000000053A000-memory.dmp

Filesize
104KB

Download
memory/2636-65-0x0000000000520000-0x000000000053A000-memory.dmp

Filesize
104KB

Download
memory/2636-51-0x0000000000520000-0x000000000053A000-memory.dmp

Filesize
104KB

Download
memory/2636-174-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2668-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2720-41-0x0000000000550000-0x000000000056A000-memory.dmp

Filesize
104KB

Download
memory/2720-42-0x0000000000550000-0x000000000056A000-memory.dmp

Filesize
104KB

Download
memory/2720-169-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2720-170-0x00000000004F0000-0x000000000050A000-memory.dmp

Filesize
104KB

Download
memory/2720-25-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2888-37-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3056-116-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads