5ede5ee989e327b0562583e3f7563d691b5c1a6ade7804d4c871df84633b5845

General

Target

03042024_2143_Install.js
Size

678KB
MD5

550a5d0ef3c596a05e47361981c0fd17
SHA1

ce47883964e4ca68c30f3dfdc5b8cfde416b4dec
SHA256

5ede5ee989e327b0562583e3f7563d691b5c1a6ade7804d4c871df84633b5845
SHA512

d68416e4abc50a5d8454f17feeda5a975004180283e06455fb8bc65d4a6c7e4ad3e089747e2a460f0ed050c0c0d4ebf3ef34522190a240378ae91dcdc78513c8
SSDEEP

768:DkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLD:DCCCCCCCCCCCCCCCCCCK

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

3 1664 wscript.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\putty.lnk powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

flow	pid	process
3	1664	wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\putty.lnk	powershell.exe

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2744	powershell.exe
2744	powershell.exe
2744	powershell.exe
2524	powershell.exe
2524	powershell.exe
2524	powershell.exe
2440	powershell.exe
2440	powershell.exe
2440	powershell.exe
340	powershell.exe
340	powershell.exe
340	powershell.exe
1032	powershell.exe
1032	powershell.exe
1032	powershell.exe
1768	powershell.exe
1768	powershell.exe
1768	powershell.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
1556	powershell.exe
1556	powershell.exe
1556	powershell.exe
2088	powershell.exe
2088	powershell.exe
2088	powershell.exe
1616	powershell.exe
1616	powershell.exe
1616	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
860	powershell.exe
860	powershell.exe
860	powershell.exe
1344	powershell.exe
1344	powershell.exe
1344	powershell.exe
2408	powershell.exe
2408	powershell.exe
2408	powershell.exe
1228	powershell.exe
1228	powershell.exe
1228	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
3068	powershell.exe
3068	powershell.exe
3068	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wscript.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1664 wrote to memory of 2744	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 2744	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 2744	1664	wscript.exe	powershell.exe
PID 2744 wrote to memory of 2508	2744	powershell.exe	cmd.exe
PID 2744 wrote to memory of 2508	2744	powershell.exe	cmd.exe
PID 2744 wrote to memory of 2508	2744	powershell.exe	cmd.exe
PID 1664 wrote to memory of 2524	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 2524	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 2524	1664	wscript.exe	powershell.exe
PID 2524 wrote to memory of 2636	2524	powershell.exe	cmd.exe
PID 2524 wrote to memory of 2636	2524	powershell.exe	cmd.exe
PID 2524 wrote to memory of 2636	2524	powershell.exe	cmd.exe
PID 1664 wrote to memory of 2440	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 2440	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 2440	1664	wscript.exe	powershell.exe
PID 2440 wrote to memory of 684	2440	powershell.exe	cmd.exe
PID 2440 wrote to memory of 684	2440	powershell.exe	cmd.exe
PID 2440 wrote to memory of 684	2440	powershell.exe	cmd.exe
PID 1664 wrote to memory of 340	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 340	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 340	1664	wscript.exe	powershell.exe
PID 340 wrote to memory of 1644	340	powershell.exe	cmd.exe
PID 340 wrote to memory of 1644	340	powershell.exe	cmd.exe
PID 340 wrote to memory of 1644	340	powershell.exe	cmd.exe
PID 1664 wrote to memory of 1032	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 1032	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 1032	1664	wscript.exe	powershell.exe
PID 1032 wrote to memory of 1344	1032	powershell.exe	cmd.exe
PID 1032 wrote to memory of 1344	1032	powershell.exe	cmd.exe
PID 1032 wrote to memory of 1344	1032	powershell.exe	cmd.exe
PID 1664 wrote to memory of 1768	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 1768	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 1768	1664	wscript.exe	powershell.exe
PID 1768 wrote to memory of 2972	1768	powershell.exe	cmd.exe
PID 1768 wrote to memory of 2972	1768	powershell.exe	cmd.exe
PID 1768 wrote to memory of 2972	1768	powershell.exe	cmd.exe
PID 1664 wrote to memory of 992	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 992	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 992	1664	wscript.exe	powershell.exe
PID 992 wrote to memory of 2264	992	powershell.exe	cmd.exe
PID 992 wrote to memory of 2264	992	powershell.exe	cmd.exe
PID 992 wrote to memory of 2264	992	powershell.exe	cmd.exe
PID 1664 wrote to memory of 1556	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 1556	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 1556	1664	wscript.exe	powershell.exe
PID 1556 wrote to memory of 1988	1556	powershell.exe	cmd.exe
PID 1556 wrote to memory of 1988	1556	powershell.exe	cmd.exe
PID 1556 wrote to memory of 1988	1556	powershell.exe	cmd.exe
PID 1664 wrote to memory of 2088	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 2088	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 2088	1664	wscript.exe	powershell.exe
PID 2088 wrote to memory of 3068	2088	powershell.exe	cmd.exe
PID 2088 wrote to memory of 3068	2088	powershell.exe	cmd.exe
PID 2088 wrote to memory of 3068	2088	powershell.exe	cmd.exe
PID 1664 wrote to memory of 1616	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 1616	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 1616	1664	wscript.exe	powershell.exe
PID 1616 wrote to memory of 2496	1616	powershell.exe	cmd.exe
PID 1616 wrote to memory of 2496	1616	powershell.exe	cmd.exe
PID 1616 wrote to memory of 2496	1616	powershell.exe	cmd.exe
PID 1664 wrote to memory of 2556	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 2556	1664	wscript.exe	powershell.exe
PID 1664 wrote to memory of 2556	1664	wscript.exe	powershell.exe
PID 2556 wrote to memory of 2544	2556	powershell.exe	cmd.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\03042024_2143_Install.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:1344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:1988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:3068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:1920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:1072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tempScript.ps1
Filesize
1KB

MD5
1449878eb9e0b72365906e10545b3a63

SHA1
27c596b59b6ff8024ba1e47a74a2d11a018315aa

SHA256
dcbee82699901eebd224bf5d350ecd713c947da38e7d4a1dc2be04744dd035c9

SHA512
ed78aa6441f6f5ea160257b19ed1515eb29bc6a05d6bfe887f8776f101028e5cc629387f51223a69876f459fe6af6b472ac595556e952e802746fc0bce329fad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a3e096d826767224c5de102c76cda71e

SHA1
700969c1d380376431e16d8d682ea10bba5a25a4

SHA256
9a819572ec656a2f3b2824db8baf08f019296b841b6c6c7b097bd59f430544f0

SHA512
32bdb6b7b00d542c569a291013e924a4d45953f61f8db675428a890ad6c7ba5b8be9aab1adf2a36e73d732951e5071e0bf4b79613f3c04c93ff58135460caf4c

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/340-52-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/340-53-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/340-54-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/340-55-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/340-56-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/340-58-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/992-98-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/992-93-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/992-94-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/992-96-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/992-97-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/992-99-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/992-100-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1032-65-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1032-66-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/1032-67-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1032-68-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/1032-69-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/1032-71-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/1032-72-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1556-110-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1556-109-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/1556-108-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1556-107-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/1556-111-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1556-112-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1556-114-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/1616-135-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/1616-136-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/1768-82-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/1768-79-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/1768-85-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/1768-84-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/1768-83-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/1768-80-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2088-122-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2088-123-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2088-124-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2088-125-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2088-126-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2088-128-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-44-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-38-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-39-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2440-40-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-41-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2440-42-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2524-28-0x0000000001DB0000-0x0000000001E30000-memory.dmp

Filesize
512KB

Download
memory/2524-25-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/2524-26-0x0000000001DB0000-0x0000000001E30000-memory.dmp

Filesize
512KB

Download
memory/2524-30-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/2524-27-0x0000000001DB0000-0x0000000001E30000-memory.dmp

Filesize
512KB

Download
memory/2524-21-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/2524-24-0x0000000001DB0000-0x0000000001E30000-memory.dmp

Filesize
512KB

Download
memory/2524-23-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/2524-22-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2744-11-0x0000000001FC0000-0x0000000002040000-memory.dmp

Filesize
512KB

Download
memory/2744-5-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/2744-14-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-12-0x0000000001FC0000-0x0000000002040000-memory.dmp

Filesize
512KB

Download
memory/2744-10-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-6-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2744-9-0x0000000001FC0000-0x0000000002040000-memory.dmp

Filesize
512KB

Download
memory/2744-8-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads