4fa2a72a2358d6c8d20940e46ef4d8e019110abe76d9af0371eb85b12eb908ef

General

Target

INVOICE 1284 - DO 1494 - PO073400-1.js
Size

9KB
MD5

34816f8d37a4fa88ebb8d8c45d9f5966
SHA1

baab76a126651ea4c14432cf77f142e856accc5f
SHA256

4fa2a72a2358d6c8d20940e46ef4d8e019110abe76d9af0371eb85b12eb908ef
SHA512

9ab72f7ba776388327260627c43ce54ff420f760989ecd5e252d4780b02ba632367b3b9ac48d378660c1efc960166e2edc938046f57ae063641747767acbe6d8
SSDEEP

192:t/Mhwhyw7h9s0jpb/a26Ky3hq/ry/+MZOMr8zJ9Bm/03H3LNSozkqjvbNHgS:tMyX7v/jVGLaMwzJDzLoozDjvbNAS

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	900	wscript.exe
6	900	wscript.exe
8	900	wscript.exe
10	900	wscript.exe
12	900	wscript.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1728	NHHiK.exe

Deletes itself 1 IoCs

pid	Process
900	wscript.exe

Loads dropped DLL 2 IoCs

pid	Process
900	wscript.exe
240	netsh.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 1824	1728	NHHiK.exe	31
PID 1824 set thread context of 1244	1824	aspnet_compiler.exe	14
PID 240 set thread context of 1244	240	netsh.exe	14

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	wscript.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1728	NHHiK.exe
1728	NHHiK.exe
1824	aspnet_compiler.exe
1824	aspnet_compiler.exe
1824	aspnet_compiler.exe
1824	aspnet_compiler.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1824	aspnet_compiler.exe
1824	aspnet_compiler.exe
1824	aspnet_compiler.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe
240	netsh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	NHHiK.exe
Token: SeDebugPrivilege	1824	aspnet_compiler.exe
Token: SeDebugPrivilege	240	netsh.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1728	900	wscript.exe	29
PID 900 wrote to memory of 1728	900	wscript.exe	29
PID 900 wrote to memory of 1728	900	wscript.exe	29
PID 1728 wrote to memory of 832	1728	NHHiK.exe	30
PID 1728 wrote to memory of 832	1728	NHHiK.exe	30
PID 1728 wrote to memory of 832	1728	NHHiK.exe	30
PID 1728 wrote to memory of 832	1728	NHHiK.exe	30
PID 1728 wrote to memory of 1824	1728	NHHiK.exe	31
PID 1728 wrote to memory of 1824	1728	NHHiK.exe	31
PID 1728 wrote to memory of 1824	1728	NHHiK.exe	31
PID 1728 wrote to memory of 1824	1728	NHHiK.exe	31
PID 1728 wrote to memory of 1824	1728	NHHiK.exe	31
PID 1728 wrote to memory of 1824	1728	NHHiK.exe	31
PID 1728 wrote to memory of 1824	1728	NHHiK.exe	31
PID 1244 wrote to memory of 240	1244	Explorer.EXE	32
PID 1244 wrote to memory of 240	1244	Explorer.EXE	32
PID 1244 wrote to memory of 240	1244	Explorer.EXE	32
PID 1244 wrote to memory of 240	1244	Explorer.EXE	32
PID 240 wrote to memory of 560	240	netsh.exe	33
PID 240 wrote to memory of 560	240	netsh.exe	33
PID 240 wrote to memory of 560	240	netsh.exe	33
PID 240 wrote to memory of 560	240	netsh.exe	33
PID 240 wrote to memory of 560	240	netsh.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\Users\Admin\AppData\Local\Temp\INVOICE 1284 - DO 1494 - PO073400-1.js"
  2⤵
  - Blocklisted process makes network request
  - Deletes itself
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\NHHiK.exe
    "C:\Users\Admin\AppData\Local\Temp\NHHiK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:832
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1824
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NHHiK.exe

Filesize
319KB

MD5
c4be76b428d6f38b335c49e360e3e8d6

SHA1
b11aae54347f7d42a7168413b03e7d743b850daf

SHA256
8709e33a0e8a32066bed154147f47696c267a850c744c39167ec541b917403bd

SHA512
63ad32aa52e9e453da3030589d086a690dfceb21efc8c952d680dc9c783917581c02f778687dd78bebd54da38fe29f8c8df47f25a10031a41f9257002cdcaeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHHiK.exe

Filesize
319KB

MD5
c4be76b428d6f38b335c49e360e3e8d6

SHA1
b11aae54347f7d42a7168413b03e7d743b850daf

SHA256
8709e33a0e8a32066bed154147f47696c267a850c744c39167ec541b917403bd

SHA512
63ad32aa52e9e453da3030589d086a690dfceb21efc8c952d680dc9c783917581c02f778687dd78bebd54da38fe29f8c8df47f25a10031a41f9257002cdcaeda

Download Submit
\Users\Admin\AppData\Local\Temp\NHHiK.exe

Filesize
319KB

MD5
c4be76b428d6f38b335c49e360e3e8d6

SHA1
b11aae54347f7d42a7168413b03e7d743b850daf

SHA256
8709e33a0e8a32066bed154147f47696c267a850c744c39167ec541b917403bd

SHA512
63ad32aa52e9e453da3030589d086a690dfceb21efc8c952d680dc9c783917581c02f778687dd78bebd54da38fe29f8c8df47f25a10031a41f9257002cdcaeda

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
841KB

MD5
5fc6cd5d5ca1489d2a3c361717359a95

SHA1
5c630e232cd5761e7a611e41515be4afa3e7a141

SHA256
85c8b8a648c56cf5f063912e0e26ecebb90e0caf2f442fd5cdd8287301fe7e81

SHA512
5f9124a721f6b463d4f980920e87925098aa753b0fa2a59a3ff48b48d2b1a45d760fd46445414d84fb66321181cd2c82a4194361811114c15e35b42f838ab792

Download Submit
memory/240-74-0x0000000000C00000-0x0000000000F03000-memory.dmp

Filesize
3.0MB

Download
memory/240-71-0x0000000000000000-mapping.dmp

Download
memory/240-72-0x00000000015F0000-0x000000000160B000-memory.dmp

Filesize
108KB

Download
memory/240-77-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/240-73-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/240-75-0x0000000000A40000-0x0000000000ACF000-memory.dmp

Filesize
572KB

Download
memory/900-54-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

Filesize
8KB

Download
memory/1244-76-0x0000000006A00000-0x0000000006AD6000-memory.dmp

Filesize
856KB

Download
memory/1244-70-0x0000000006E20000-0x0000000006F1D000-memory.dmp

Filesize
1012KB

Download
memory/1244-79-0x0000000006A00000-0x0000000006AD6000-memory.dmp

Filesize
856KB

Download
memory/1728-60-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/1728-59-0x0000000000D20000-0x0000000000D76000-memory.dmp

Filesize
344KB

Download
memory/1728-56-0x0000000000000000-mapping.dmp

Download
memory/1824-69-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1824-68-0x0000000000A70000-0x0000000000D73000-memory.dmp

Filesize
3.0MB

Download
memory/1824-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-65-0x00000000004012E0-mapping.dmp

Download
memory/1824-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads