54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3

Analysis

max time kernel
33s
max time network
20s
platform
windows7_x64
resource
win7v20210410
submitted
13-08-2021 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2AD561E9BB9F780F56D5E7A280574432.exe
Size

375KB
MD5

2ad561e9bb9f780f56d5e7a280574432
SHA1

e6bc833d62ef0ec1e08674a0a8707e3ce2f09007
SHA256

54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3
SHA512

8b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2AD561E9BB9F780F56D5E7A280574432.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\putty.exe\","	2AD561E9BB9F780F56D5E7A280574432.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

powershell.exepowershell.exe2AD561E9BB9F780F56D5E7A280574432.exepowershell.exe

pid	process
1980	powershell.exe
1980	powershell.exe
1488	powershell.exe
1488	powershell.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
1156	powershell.exe
1156	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeIncreaseQuotaPrivilege	1980	powershell.exe
Token: SeSecurityPrivilege	1980	powershell.exe
Token: SeTakeOwnershipPrivilege	1980	powershell.exe
Token: SeLoadDriverPrivilege	1980	powershell.exe
Token: SeSystemProfilePrivilege	1980	powershell.exe
Token: SeSystemtimePrivilege	1980	powershell.exe
Token: SeProfSingleProcessPrivilege	1980	powershell.exe
Token: SeIncBasePriorityPrivilege	1980	powershell.exe
Token: SeCreatePagefilePrivilege	1980	powershell.exe
Token: SeBackupPrivilege	1980	powershell.exe
Token: SeRestorePrivilege	1980	powershell.exe
Token: SeShutdownPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeSystemEnvironmentPrivilege	1980	powershell.exe
Token: SeRemoteShutdownPrivilege	1980	powershell.exe
Token: SeUndockPrivilege	1980	powershell.exe
Token: SeManageVolumePrivilege	1980	powershell.exe
Token: 33	1980	powershell.exe
Token: 34	1980	powershell.exe
Token: 35	1980	powershell.exe
Token: SeIncreaseQuotaPrivilege	1980	powershell.exe
Token: SeSecurityPrivilege	1980	powershell.exe
Token: SeTakeOwnershipPrivilege	1980	powershell.exe
Token: SeLoadDriverPrivilege	1980	powershell.exe
Token: SeSystemProfilePrivilege	1980	powershell.exe
Token: SeSystemtimePrivilege	1980	powershell.exe
Token: SeProfSingleProcessPrivilege	1980	powershell.exe
Token: SeIncBasePriorityPrivilege	1980	powershell.exe
Token: SeCreatePagefilePrivilege	1980	powershell.exe
Token: SeBackupPrivilege	1980	powershell.exe
Token: SeRestorePrivilege	1980	powershell.exe
Token: SeShutdownPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeSystemEnvironmentPrivilege	1980	powershell.exe
Token: SeRemoteShutdownPrivilege	1980	powershell.exe
Token: SeUndockPrivilege	1980	powershell.exe
Token: SeManageVolumePrivilege	1980	powershell.exe
Token: 33	1980	powershell.exe
Token: 34	1980	powershell.exe
Token: 35	1980	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeIncreaseQuotaPrivilege	1488	powershell.exe
Token: SeSecurityPrivilege	1488	powershell.exe
Token: SeTakeOwnershipPrivilege	1488	powershell.exe
Token: SeLoadDriverPrivilege	1488	powershell.exe
Token: SeSystemProfilePrivilege	1488	powershell.exe
Token: SeSystemtimePrivilege	1488	powershell.exe
Token: SeProfSingleProcessPrivilege	1488	powershell.exe
Token: SeIncBasePriorityPrivilege	1488	powershell.exe
Token: SeCreatePagefilePrivilege	1488	powershell.exe
Token: SeBackupPrivilege	1488	powershell.exe
Token: SeRestorePrivilege	1488	powershell.exe
Token: SeShutdownPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeSystemEnvironmentPrivilege	1488	powershell.exe
Token: SeRemoteShutdownPrivilege	1488	powershell.exe
Token: SeUndockPrivilege	1488	powershell.exe
Token: SeManageVolumePrivilege	1488	powershell.exe
Token: 33	1488	powershell.exe
Token: 34	1488	powershell.exe
Token: 35	1488	powershell.exe
Token: SeIncreaseQuotaPrivilege	1488	powershell.exe
Token: SeSecurityPrivilege	1488	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

2AD561E9BB9F780F56D5E7A280574432.exeWScript.exe

C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
"C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ikjuwwswk.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\putty.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1156
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:944
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1316
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:828
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5

MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba

MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370

MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b

MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eeb

MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598

MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c

MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9

MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
44c0b71143ed55871f247f056d94ba9e

SHA1
86bd4b9949eab5935fe399df07547f3e537cffc2

SHA256
e31745ad7ee64cb137991a1f8a04020da348885452b99147f4282227f5559f0e

SHA512
ddd64b46746992af6c79b5f72f6a8588f7db83ad119ec46041a1bfaa2428435d4595b2e24bf5a8ad1d8d39bba1fa16a8f533a5a1ed8331861d4e9bdf81c0f0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Ikjuwwswk.vbs

MD5
3a35a8049e1d1c960d83727fcdc0e1b3

SHA1
41acf6abf00a160e0d4795bc080f540620525f76

SHA256
9be0a227c73471c6797c07b45970b39954ee5715cee41d029c53239cac0578ee

SHA512
256b222634a7acf9e69fe170d97236128f28aa11cb67d6a41e4cdbcfe8c982229801f0c77ae6075665ef4385f93fca00d3a7d5dbaf48e58aea966378c3ac1385

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
58619b83e4f7511bd66fcbcce0bdc516

SHA1
3660b423f8554620012acc159bcd74aa3e085016

SHA256
5b4204abdaf4fb4272be2e28150a4c2493ab70b9116667e705bdeb3e3ab15c68

SHA512
9e7c1037d591fc09db4ab2c2a710ec5ced834d2f6df7d6058f2d8a45e89fd72bd73801c62b04c130057cc12fba6e752e4c857d7002b31f50a15e89f054377ac2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
58619b83e4f7511bd66fcbcce0bdc516

SHA1
3660b423f8554620012acc159bcd74aa3e085016

SHA256
5b4204abdaf4fb4272be2e28150a4c2493ab70b9116667e705bdeb3e3ab15c68

SHA512
9e7c1037d591fc09db4ab2c2a710ec5ced834d2f6df7d6058f2d8a45e89fd72bd73801c62b04c130057cc12fba6e752e4c857d7002b31f50a15e89f054377ac2

Download Submit
memory/1156-138-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/1156-113-0x0000000000000000-mapping.dmp

Download
memory/1156-117-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1156-139-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/1156-116-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1156-119-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1156-130-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1156-125-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/1156-122-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/1156-121-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/1156-120-0x0000000004912000-0x0000000004913000-memory.dmp

Filesize
4KB

Download
memory/1156-118-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/1488-107-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/1488-95-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/1488-96-0x00000000048F2000-0x00000000048F3000-memory.dmp

Filesize
4KB

Download
memory/1488-94-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/1488-93-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1488-92-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1488-104-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1488-91-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1488-88-0x0000000000000000-mapping.dmp

Download
memory/1700-110-0x0000000000000000-mapping.dmp

Download
memory/1980-72-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/1980-86-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1980-63-0x0000000000000000-mapping.dmp

Download
memory/1980-87-0x0000000006640000-0x0000000006641000-memory.dmp

Filesize
4KB

Download
memory/1980-69-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1980-85-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1980-78-0x0000000006180000-0x0000000006181000-memory.dmp

Filesize
4KB

Download
memory/1980-68-0x0000000002070000-0x0000000002CBA000-memory.dmp

Filesize
12.3MB

Download
memory/1980-64-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/1980-65-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1980-77-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1980-67-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1980-66-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/2004-109-0x0000000004F20000-0x0000000004F95000-memory.dmp

Filesize
468KB

Download
memory/2004-60-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2004-108-0x0000000001F80000-0x0000000001FC6000-memory.dmp

Filesize
280KB

Download
memory/2004-62-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 2004 wrote to memory of 1980	2004	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 2004 wrote to memory of 1980	2004	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 2004 wrote to memory of 1980	2004	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 2004 wrote to memory of 1980	2004	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 2004 wrote to memory of 1488	2004	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 2004 wrote to memory of 1488	2004	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 2004 wrote to memory of 1488	2004	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 2004 wrote to memory of 1488	2004	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 2004 wrote to memory of 1700	2004	2AD561E9BB9F780F56D5E7A280574432.exe	WScript.exe
PID 2004 wrote to memory of 1700	2004	2AD561E9BB9F780F56D5E7A280574432.exe	WScript.exe
PID 2004 wrote to memory of 1700	2004	2AD561E9BB9F780F56D5E7A280574432.exe	WScript.exe
PID 2004 wrote to memory of 1700	2004	2AD561E9BB9F780F56D5E7A280574432.exe	WScript.exe
PID 2004 wrote to memory of 1728	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1728	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1728	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1728	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 944	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 944	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 944	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 944	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1316	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1316	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1316	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1316	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 828	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 828	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 828	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 828	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1800	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1800	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1800	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1800	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1748	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1748	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1748	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1748	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1768	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1768	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1768	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1768	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1724	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1724	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1724	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1724	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1896	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1896	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1896	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1896	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1884	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1884	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1884	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2004 wrote to memory of 1884	2004	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 1700 wrote to memory of 1156	1700	WScript.exe	powershell.exe
PID 1700 wrote to memory of 1156	1700	WScript.exe	powershell.exe
PID 1700 wrote to memory of 1156	1700	WScript.exe	powershell.exe
PID 1700 wrote to memory of 1156	1700	WScript.exe	powershell.exe