vjw0rm | f8273617fe63d7b1e783427b76f0b250b428648e7cb47a45bcf98fa72bc708f3

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 21:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KNRyOLnGcT_UKWN.jar
Size

1.2MB
MD5

5cdffc26c265c48cdbbf1aae06cc101c
SHA1

566fb395a9586ca59c4317af8b8a6e656352d5fa
SHA256

5a894d00f75d512b8b3604dabf49b049f40721a82397ac2e6bdf3f910565c737
SHA512

f0976bf6d5d35f36a8c625b5e520c94e1569da793d3d03e86bd9c6531a0ca2790f003bd5be210267081632e21964fd81936bfbad8cd9d81918666b53514058fd
SSDEEP

24576:q5P4Aday/1OtGC/HPXubl2Emy4AK+5pCwncs9hJh0+bqbK9X2XzVR:MdX8PXuIZZLkpCts9hJh0+OuIzz

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVvEfMYHrV.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVvEfMYHrV.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3952	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\eVvEfMYHrV.js\""	WScript.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 3952	4796	java.exe	92
PID 4796 wrote to memory of 3952	4796	java.exe	92
PID 4796 wrote to memory of 2656	4796	java.exe	91
PID 4796 wrote to memory of 2656	4796	java.exe	91
PID 2656 wrote to memory of 4004	2656	wscript.exe	94
PID 2656 wrote to memory of 4004	2656	wscript.exe	94
PID 2656 wrote to memory of 4656	2656	wscript.exe	93
PID 2656 wrote to memory of 4656	2656	wscript.exe	93
PID 4656 wrote to memory of 4716	4656	javaw.exe	96
PID 4656 wrote to memory of 4716	4656	javaw.exe	96

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\KNRyOLnGcT_UKWN.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\_output.js
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\eqvcqytqg.txt"
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.67771077893711063540065672889955501.class
      4⤵
      Drops file in Program Files directory
      PID:4716
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eVvEfMYHrV.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:4004
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:3952

Network

DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

3.181.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.181.190.20.in-addr.arpa

IN PTR

Response
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

208.194.73.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.194.73.20.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response

52.142.223.178:80

46 B
1
93.184.221.240:80

158.1kB
7.5MB
3139
5386
92.123.241.104:80

138 B
80 B
3
2
92.123.241.104:80

138 B
80 B
3
2
20.54.110.119:443
88.221.134.18:80
88.221.134.18:80
93.184.221.240:80
93.184.221.240:80
93.184.221.240:80
93.184.221.240:80
88.221.135.211:80
88.221.134.18:80
88.221.134.18:80
52.111.243.30:443
88.221.134.18:80
93.184.221.240:80
93.184.221.240:80
93.184.221.240:80

8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

2.136.104.51.in-addr.arpa

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

javaslinns.duia.ro

dns

WScript.exe

64 B
120 B
1
1

DNS Request

javaslinns.duia.ro
8.8.8.8:53

3.181.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

3.181.190.20.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

213 B
135 B
3
1

DNS Request

41.110.16.96.in-addr.arpa

DNS Request

41.110.16.96.in-addr.arpa

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

216 B
137 B
3
1

DNS Request

18.134.221.88.in-addr.arpa

DNS Request

18.134.221.88.in-addr.arpa

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

javaslinns.duia.ro

dns

WScript.exe

64 B
120 B
1
1

DNS Request

javaslinns.duia.ro
8.8.8.8:53

208.194.73.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

208.194.73.20.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

144 B
2

DNS Request

119.110.54.20.in-addr.arpa

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

javaslinns.duia.ro

dns

WScript.exe

64 B
120 B
1
1

DNS Request

javaslinns.duia.ro
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

30.243.111.52.in-addr.arpa

DNS Request

30.243.111.52.in-addr.arpa
8.8.8.8:53

javaslinns.duia.ro

dns

WScript.exe

128 B
240 B
2
2

DNS Request

javaslinns.duia.ro

DNS Request

javaslinns.duia.ro
8.8.8.8:53

javaslinns.duia.ro

dns

WScript.exe

128 B
240 B
2
2

DNS Request

javaslinns.duia.ro

DNS Request

javaslinns.duia.ro
8.8.8.8:53

javaslinns.duia.ro

dns

WScript.exe

128 B
240 B
2
2

DNS Request

javaslinns.duia.ro

DNS Request

javaslinns.duia.ro
8.8.8.8:53

javaslinns.duia.ro

dns

WScript.exe

128 B
240 B
2
2

DNS Request

javaslinns.duia.ro

DNS Request

javaslinns.duia.ro
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

173.178.17.96.in-addr.arpa

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

javaslinns.duia.ro

dns

WScript.exe

128 B
120 B
2
1

DNS Request

javaslinns.duia.ro

DNS Request

javaslinns.duia.ro
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

142 B
314 B
2
2

DNS Request

43.58.199.20.in-addr.arpa

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

javaslinns.duia.ro

dns

WScript.exe

128 B
120 B
2
1

DNS Request

javaslinns.duia.ro

DNS Request

javaslinns.duia.ro
8.8.8.8:53

javaslinns.duia.ro

dns

WScript.exe

128 B
240 B
2
2

DNS Request

javaslinns.duia.ro

DNS Request

javaslinns.duia.ro
8.8.8.8:53

javaslinns.duia.ro

dns

WScript.exe

128 B
240 B
2
2

DNS Request

javaslinns.duia.ro

DNS Request

javaslinns.duia.ro

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
411593a9b1853f19195cf9e6749140e2

SHA1
2046ae5a2a28f20c2b6eb9555f80bcb4b226696c

SHA256
f7f03f6db617164d162d3a653d2f6933b8eac245623c7a385d50816466f29d96

SHA512
30db0ec968fb577a445c3c8b70cc4f815b63db22dea7b1dc0e5f175a4cd274bd945c22ec01b93b537bce166b74e0089b1c4c456a5a7bdd55f7983df565702311

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
f7640fc84ac04591db95112d67a64b50

SHA1
a92da1305d995a7dfd52d213858143a374528d40

SHA256
aa72606482919aa48b569809de0ec43fdddedc5599adacb439b44fc86b389a93

SHA512
4250aaef1b194468d7bfb4b09bf556a749283bcbd4caab0f3c950fa66d2ca2a9493607dd05fffe5e18fc4552dbbddcca512e0e50a22fbfb1a34b25766c0c8de7

Download Submit
C:\Users\Admin\AppData\Roaming\eVvEfMYHrV.js

Filesize
14KB

MD5
7da63b5e09aca81ff9226cb98eb7c07f

SHA1
95b8e956af1684adfa7eeb44fbb8703e314ed714

SHA256
9591223d96a8fbdef996a889892846b7162aee19904f030080dbf3ca2d966c20

SHA512
608af6335c141e95cb8b1f95dae2d47c5cc7c0ba18fbcfca851681ddabfa17be920d5d5b2986b0da69fbaec6e4cd9d3bcadc70b6c63e2f9e31957eff6d347e70

Download Submit
C:\Users\Admin\AppData\Roaming\eqvcqytqg.txt

Filesize
256KB

MD5
5c44e3a8f95993ada30b56238ef4e171

SHA1
d9a3453425d9120377a2948c6c4e844d9538d74b

SHA256
003368a4b5d2fc695bf41a5832538395aafc57ef1e09fd5aff7cd30e4c00f73b

SHA512
7a1e063d6a10e7adfb111fe5f5d78c3d7972224498c3ec3b0ff9370e54cd3e7f1f2cc66af7ad739b5dfc0ca4b6ca7ac4213123992a73c1de9de96c0722a21261

Download Submit
C:\Users\Admin\_output.js

Filesize
448KB

MD5
31b111cf9b1723f32171eebad300bc1f

SHA1
e83acce0af6370240f2b3e032123976a5ca1fe16

SHA256
c462a086cb961e26e457f44b24120ba725424da30653d986f5bc3587dc3071f2

SHA512
424cd8e5f3d28995cd98a46b6e946cbe443e86ee662d041aba6a6422ae413fb044f289331d7ad3b5ed97b14f4366947d2afb21816d95c7d78f1fbf74297000f2

Download Submit
memory/4656-63-0x000001C923420000-0x000001C924420000-memory.dmp

Filesize
16.0MB

Download
memory/4656-65-0x000001C923690000-0x000001C9236A0000-memory.dmp

Filesize
64KB

Download
memory/4656-30-0x000001C923420000-0x000001C924420000-memory.dmp

Filesize
16.0MB

Download
memory/4656-37-0x000001C921BF0000-0x000001C921BF1000-memory.dmp

Filesize
4KB

Download
memory/4656-66-0x000001C9236C0000-0x000001C9236D0000-memory.dmp

Filesize
64KB

Download
memory/4656-68-0x000001C9236B0000-0x000001C9236C0000-memory.dmp

Filesize
64KB

Download
memory/4716-44-0x00000218323B0000-0x00000218333B0000-memory.dmp

Filesize
16.0MB

Download
memory/4716-69-0x0000021832620000-0x0000021832630000-memory.dmp

Filesize
64KB

Download
memory/4716-60-0x0000021832390000-0x0000021832391000-memory.dmp

Filesize
4KB

Download
memory/4796-4-0x0000027A00000000-0x0000027A01000000-memory.dmp

Filesize
16.0MB

Download
memory/4796-14-0x0000027A76EB0000-0x0000027A76EB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.