19ee843d37c1586e9058ff1f09c7e7c27da7ae568d44e1c95387b3f851d0c3eb

Analysis

max time kernel
147s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-09-2022 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

goodbye.ps1
Size

7.7MB
MD5

76cb211a39e29bd567554bdf1f2ee63c
SHA1

59e4aa84771e257ccc1e1e1db35608aa9bec9fc8
SHA256

19ee843d37c1586e9058ff1f09c7e7c27da7ae568d44e1c95387b3f851d0c3eb
SHA512

eb0f3858c63c8448ef17bdd8b385cda7596394d6d3a3f0c128a894ce7664fdd45e5a0b83b93ee6557bc78a1f05ae38a4910beb9c61e7f57ce8e84a294470d5f8
SSDEEP

24576:cfn0m/OPb9o/Ha4KZZQLFq487s/0H+VXQ5qDrtj6Bnoi4LD2/Qy4IyQr+KJn04vd:x

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

560 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

368 taskkill.exe

pid	process
560	schtasks.exe

pid	process
368	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1064 powershell.exe
1064 powershell.exe
1632 powershell.exe
1396 powershell.exe
1824 powershell.exe
2004 powershell.exe

pid	process
1064	powershell.exe
1064	powershell.exe
1632	powershell.exe
1396	powershell.exe
1824	powershell.exe
2004	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

powershell.exeWScript.execmd.exepowershell.exemshta.execmd.exeWScript.execmd.exemshta.exetaskeng.exeWScript.exeWScript.exe

description	pid	process	target process
PID 1064 wrote to memory of 656	1064	powershell.exe	WScript.exe
PID 1064 wrote to memory of 656	1064	powershell.exe	WScript.exe
PID 1064 wrote to memory of 656	1064	powershell.exe	WScript.exe
PID 1064 wrote to memory of 560	1064	powershell.exe	schtasks.exe
PID 1064 wrote to memory of 560	1064	powershell.exe	schtasks.exe
PID 1064 wrote to memory of 560	1064	powershell.exe	schtasks.exe
PID 656 wrote to memory of 1052	656	WScript.exe	cmd.exe
PID 656 wrote to memory of 1052	656	WScript.exe	cmd.exe
PID 656 wrote to memory of 1052	656	WScript.exe	cmd.exe
PID 1052 wrote to memory of 1632	1052	cmd.exe	powershell.exe
PID 1052 wrote to memory of 1632	1052	cmd.exe	powershell.exe
PID 1052 wrote to memory of 1632	1052	cmd.exe	powershell.exe
PID 1632 wrote to memory of 1160	1632	powershell.exe	cmstp.exe
PID 1632 wrote to memory of 1160	1632	powershell.exe	cmstp.exe
PID 1632 wrote to memory of 1160	1632	powershell.exe	cmstp.exe
PID 1916 wrote to memory of 288	1916	mshta.exe	cmd.exe
PID 1916 wrote to memory of 288	1916	mshta.exe	cmd.exe
PID 1916 wrote to memory of 288	1916	mshta.exe	cmd.exe
PID 288 wrote to memory of 908	288	cmd.exe	WScript.exe
PID 288 wrote to memory of 908	288	cmd.exe	WScript.exe
PID 288 wrote to memory of 908	288	cmd.exe	WScript.exe
PID 908 wrote to memory of 1288	908	WScript.exe	cmd.exe
PID 908 wrote to memory of 1288	908	WScript.exe	cmd.exe
PID 908 wrote to memory of 1288	908	WScript.exe	cmd.exe
PID 1288 wrote to memory of 1396	1288	cmd.exe	powershell.exe
PID 1288 wrote to memory of 1396	1288	cmd.exe	powershell.exe
PID 1288 wrote to memory of 1396	1288	cmd.exe	powershell.exe
PID 1560 wrote to memory of 368	1560	mshta.exe	taskkill.exe
PID 1560 wrote to memory of 368	1560	mshta.exe	taskkill.exe
PID 1560 wrote to memory of 368	1560	mshta.exe	taskkill.exe
PID 1316 wrote to memory of 780	1316	taskeng.exe	WScript.exe
PID 1316 wrote to memory of 780	1316	taskeng.exe	WScript.exe
PID 1316 wrote to memory of 780	1316	taskeng.exe	WScript.exe
PID 780 wrote to memory of 1824	780	WScript.exe	powershell.exe
PID 780 wrote to memory of 1824	780	WScript.exe	powershell.exe
PID 780 wrote to memory of 1824	780	WScript.exe	powershell.exe
PID 1316 wrote to memory of 1964	1316	taskeng.exe	WScript.exe
PID 1316 wrote to memory of 1964	1316	taskeng.exe	WScript.exe
PID 1316 wrote to memory of 1964	1316	taskeng.exe	WScript.exe
PID 1964 wrote to memory of 2004	1964	WScript.exe	powershell.exe
PID 1964 wrote to memory of 2004	1964	WScript.exe	powershell.exe
PID 1964 wrote to memory of 2004	1964	WScript.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\goodbye.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\a.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\Favorites\a.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\Favorites\b.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\cmstp.exe
"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\f3eexp4x.inf
5⤵
PID:1160

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn administartor /sc minute /st 00:10 /tr C:\Users\Admin\Favorites\System.vbs
2⤵
- Creates scheduled task(s)
PID:560

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""cmd.exe /c start """""""" """"%USERPROFILE%\Favorites\Assembly.vbs"""""",0:close")
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\Favorites\Assembly.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\Assembly.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\Favorites\x.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\Favorites\x.ps1
5⤵
- UAC bypass
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""taskkill /IM cmstp.exe /F"", 0, true:close")
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM cmstp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\system32\taskeng.exe
taskeng.exe {ED75D554-E013-401D-81DB-19E247EACAEA} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\Favorites\System.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\micro.ps1
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\Favorites\System.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\micro.ps1
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
abf84dc6b0e93f3a03555e502834c556

SHA1
540dd6c0f1b0df2507cde4454a56dae12672aecd

SHA256
aef32a505bd3a296e1063ee2b7b0f2dbdf53c67cbf185a6b312750c13488e120

SHA512
bbe818c5bf1eb16787cfe5d0ceb3240b1a8913bf8e0d10ffd9dd4774edce2c1cb8bdc6252ec1967bdc1b1137795b4a4363da4a54a26f56ea76b6839aeeb90514

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
abf84dc6b0e93f3a03555e502834c556

SHA1
540dd6c0f1b0df2507cde4454a56dae12672aecd

SHA256
aef32a505bd3a296e1063ee2b7b0f2dbdf53c67cbf185a6b312750c13488e120

SHA512
bbe818c5bf1eb16787cfe5d0ceb3240b1a8913bf8e0d10ffd9dd4774edce2c1cb8bdc6252ec1967bdc1b1137795b4a4363da4a54a26f56ea76b6839aeeb90514

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
abf84dc6b0e93f3a03555e502834c556

SHA1
540dd6c0f1b0df2507cde4454a56dae12672aecd

SHA256
aef32a505bd3a296e1063ee2b7b0f2dbdf53c67cbf185a6b312750c13488e120

SHA512
bbe818c5bf1eb16787cfe5d0ceb3240b1a8913bf8e0d10ffd9dd4774edce2c1cb8bdc6252ec1967bdc1b1137795b4a4363da4a54a26f56ea76b6839aeeb90514

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
abf84dc6b0e93f3a03555e502834c556

SHA1
540dd6c0f1b0df2507cde4454a56dae12672aecd

SHA256
aef32a505bd3a296e1063ee2b7b0f2dbdf53c67cbf185a6b312750c13488e120

SHA512
bbe818c5bf1eb16787cfe5d0ceb3240b1a8913bf8e0d10ffd9dd4774edce2c1cb8bdc6252ec1967bdc1b1137795b4a4363da4a54a26f56ea76b6839aeeb90514

Download Submit
C:\Users\Admin\Favorites\Assembly.vbs
Filesize
331B

MD5
66d268811c166c82aaef2f52450b0c73

SHA1
f7810c1003732c440b986718a8217dd733e88f74

SHA256
581df8170200c95d38ce78eba4e9942d47cad443bbc0148954e48df04eec3b34

SHA512
36de3a5f59ee7a531832ae7e43997a3019ad8a15b0d1b321e589a85d77af27dab80b90a0ef5c978c4fffcc4d32fe8d870f60e9cf3e5bff302e4292bfc6196830

Download Submit
C:\Users\Admin\Favorites\System.vbs
Filesize
121B

MD5
dada8407cf4051919362d16a6d735cde

SHA1
8a2788926f97dbd59c99ad51b3383c59992c6c2e

SHA256
ee512a4266049b505b2b5c6c4c7bd66baadd37eda61bfe7f31f6cfcc1c955a77

SHA512
42c6b1fac8502e3b21cbd6cda11601afc55ca539db03667eec7c839bc33c70ed1a6aeba5a3c9684951143658b17183c2782bec8a0108b345c0ac2aebdaa8fc9f

Download Submit
C:\Users\Admin\Favorites\UAC-B.dll
Filesize
11KB

MD5
cc6ba6fc273dbfbb5c9698c0cf4719b9

SHA1
a2b3433b728b0874ec69d8a629d5f0dd05c0946d

SHA256
320316cdda2aa0e8709472a2b8eb8debcd0f8bb6f9af4d4d4b3bc67068ceebe7

SHA512
fe2fe2f150fbf619dd7616c86c93a42446b7c915b92fb865971dcf7dd595c6483da7386ce40b99802dc0942068bd1703821e0e3b15a6ebe557619cf6fa413c61

Download Submit
C:\Users\Admin\Favorites\a.bat
Filesize
86B

MD5
4625a049cd6ea721b706699ab3c36dff

SHA1
dbb82c9e8cb7bdcf617e7c4e158d031275b5ec24

SHA256
c751a3cb67ab1c75f1de6e24b7193123cc815524c538973110d1f6027da24dc0

SHA512
35674c3c1d6c449b3716ddf2ca8733e255a8f642723186a847694fb936b50a91e6bd7ab7f6edf1489592a583109739a4f0c12769823e2fc163860eeb7004b6c0

Download Submit
C:\Users\Admin\Favorites\a.vbs
Filesize
485B

MD5
5ce49e20c572f2b6d4b43fc61a6906ec

SHA1
170185b8ab9fc4749f28e5796999c23b50be89dc

SHA256
d6a43aad0aa8e510f01409921c8b0b5c8d93d51d1f7f39340db775c164686412

SHA512
c49e14c094e4d5e108aa50889a9fb06428a3d7a1f74d868c9b7d37f35658a64ea205b00681ad83aef428113fdf6fead8ef98dd1e6b38d84b8306765025c2e8e3

Download Submit
C:\Users\Admin\Favorites\b.ps1
Filesize
173B

MD5
e1d9cbc41ffacef02695df17824a82e0

SHA1
970ae087b8a3d11fb3e2a9b8de1592a166436fa7

SHA256
61571d1fd0000c02eef19b7dd6e452e2f9eba2e947f4c96d781e79d35802043f

SHA512
3b4034b2072a309adeb1af8b540023791262915f4b1347f4aa27f8aedcbbb6e1126c1a4d5f1db1ce2ad5638d24d7ba3025a8451c291241db2f2a99b0832f620a

Download Submit
C:\Users\Admin\Favorites\micro.ps1
Filesize
888KB

MD5
2c012c85dad2ed3845d3606fb4204d9d

SHA1
aae41574a6a9fe13b8552a3aba61bc5a550d4161

SHA256
ad4059af90d7d3a2690eef17d4fe45cc1d6b5b8c0ae806bc0d598e5a4838cd84

SHA512
7d9da6e1f243a2bd55b7ce91d2657077268612cc176bc279e79fabedcd7cde740534d46289371759532e31676f62f76af602780f4f728437bc8344e62799873d

Download Submit
C:\Users\Admin\Favorites\micro.ps1
Filesize
444KB

MD5
6c7473033862bc8f2d1ca5d2f64593a8

SHA1
420a0f9508cf7a6e17ecb7670a9df7cbbb8c24d7

SHA256
72842be7f7e16ffbb22c2646b18aa647537742782c2df530ad5076890743ea0e

SHA512
2a9eda8fec9f0684bb2a8016868150a660181dabdfb29eec7a942ee4f843c63a854c42aaab2395e418dbb35be11134ec4ff5014e2daa4210bd891238d759f2f2

Download Submit
C:\Users\Admin\Favorites\x.bat
Filesize
86B

MD5
03fc58bceab448c9f183fbe86fed1f11

SHA1
07f3d54b0b40755e8f58f5fdab95049def6578e3

SHA256
6062f0e764ccd855b61ba49720065dfd6f6c6864c4eb1e9dce95ba8a293fd756

SHA512
c0e9aec7a6c5aaae3b018d44f1fbdc1939026ce16fad20211a0521e3db9e470d842508b7d2167672e1585bafeb4b2f1fe694ca96ddb9137ff9e5d3b4ca53ea4f

Download Submit
C:\Users\Admin\Favorites\x.ps1
Filesize
567B

MD5
e9859d3134c68db3134a6ca7df484344

SHA1
f4eec5ee9aa11a82d19bdb78a174c574669fd1d8

SHA256
a4aaf6c64969788732b20c79c1299719b84a52eddda13778a672195bbfba4a6c

SHA512
47982ddf074418c350790f5f7d53edddbbb47e7768939ebf88f4812b01f241c8bff509dbd9a8e6232eb6ec7f8b0344a1a59474ea45da0c80af9f04ba21498cdb

Download Submit
C:\Windows\temp\f3eexp4x.inf
Filesize
834B

MD5
09c0056318d62ee84963c66ae83d6c1b

SHA1
625936963d4a0059daff7222a1628198be9b7a4f

SHA256
25b2a55bade39fe6d90e0fb06068062a95af522f62d743454ffa4ddd478781d8

SHA512
b03301fcafbc905ac7724b5ee878208c4c7dc039b02edcfc00e51742c868ab4cf3f830dbbe52b314ee24f8d87f39b6c9eb3e6c188ddc75a9b52f7dfab85cb2d0

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/288-84-0x0000000000000000-mapping.dmp

Download
memory/368-110-0x0000000000000000-mapping.dmp

Download
memory/560-62-0x0000000000000000-mapping.dmp

Download
memory/656-61-0x0000000000000000-mapping.dmp

Download
memory/780-120-0x0000000000000000-mapping.dmp

Download
memory/908-103-0x0000000000000000-mapping.dmp

Download
memory/1052-66-0x0000000000000000-mapping.dmp

Download
memory/1064-60-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1064-59-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1064-58-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1064-56-0x000007FEF3D40000-0x000007FEF489D000-memory.dmp

Filesize
11.4MB

Download
memory/1064-67-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1064-57-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1064-54-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1064-55-0x000007FEF48A0000-0x000007FEF52C3000-memory.dmp

Filesize
10.1MB

Download
memory/1160-77-0x0000000000000000-mapping.dmp

Download
memory/1288-106-0x0000000000000000-mapping.dmp

Download
memory/1396-117-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/1396-118-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/1396-113-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/1396-114-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/1396-107-0x0000000000000000-mapping.dmp

Download
memory/1396-116-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/1396-112-0x000007FEEE8F0000-0x000007FEEF44D000-memory.dmp

Filesize
11.4MB

Download
memory/1632-81-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/1632-72-0x000007FEF33A0000-0x000007FEF3EFD000-memory.dmp

Filesize
11.4MB

Download
memory/1632-80-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/1632-68-0x0000000000000000-mapping.dmp

Download
memory/1632-74-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/1632-73-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/1632-71-0x000007FEF3F00000-0x000007FEF4923000-memory.dmp

Filesize
10.1MB

Download
memory/1632-82-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/1824-128-0x000007FEF33A0000-0x000007FEF3EFD000-memory.dmp

Filesize
11.4MB

Download
memory/1824-123-0x0000000000000000-mapping.dmp

Download
memory/1824-131-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1824-129-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1824-133-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1824-134-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1824-130-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1824-127-0x000007FEF3F00000-0x000007FEF4923000-memory.dmp

Filesize
10.1MB

Download
memory/1964-135-0x0000000000000000-mapping.dmp

Download
memory/2004-137-0x0000000000000000-mapping.dmp

Download
memory/2004-141-0x000007FEF3D40000-0x000007FEF489D000-memory.dmp

Filesize
11.4MB

Download
memory/2004-142-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2004-140-0x000007FEF48A0000-0x000007FEF52C3000-memory.dmp

Filesize
10.1MB

Download
memory/2004-144-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads