pony | 6e57b3151e696198fa799ccdc91d05ecee2462f5adc2ec5cd591b745165106e8

General

Target

iceix_1.2.5.0.vir.exe
Size

1.0MB
MD5

3b3b888bcc1668fbd561b500e1e78e37
SHA1

c958f983cdb6be45d7ad8d6a653ff1516b561e42
SHA256

6e57b3151e696198fa799ccdc91d05ecee2462f5adc2ec5cd591b745165106e8
SHA512

7117cade23b12e48b55b04c732027846e2f3d6450870fd413e93e665b7d29394287ca5a4871c00ad8c078a74a3eec341a38c2ba161e3274202c60380e6250f88

Score

10^/10

discovery rat spyware stealer pony evasion persistence

Malware Config

Signatures

Loads dropped DLL 6 IoCs

Processes:

iceix_1.2.5.0.vir.exeiceix_1.2.5.0.vir.exeasviohu.exe

pid process

1140 iceix_1.2.5.0.vir.exe
1140 iceix_1.2.5.0.vir.exe
1420 iceix_1.2.5.0.vir.exe
1420 iceix_1.2.5.0.vir.exe
304 asviohu.exe
304 asviohu.exe

pid	process
1140	iceix_1.2.5.0.vir.exe
1140	iceix_1.2.5.0.vir.exe
1420	iceix_1.2.5.0.vir.exe
1420	iceix_1.2.5.0.vir.exe
304	asviohu.exe
304	asviohu.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

iceix_1.2.5.0.vir.exeasviohu.exeMBAXG.exeMBAXG.exe

description	pid	process	target process
PID 1140 set thread context of 1420	1140	iceix_1.2.5.0.vir.exe	iceix_1.2.5.0.vir.exe
PID 304 set thread context of 1724	304	asviohu.exe	asviohu.exe
PID 1328 set thread context of 1888	1328	MBAXG.exe	cmd.exe
PID 1528 set thread context of 1956	1528	MBAXG.exe	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

asviohu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	asviohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{0CDF97C3-E747-4D4C-16F1-DD75F1BED301} = "C:\\Users\\Admin\\AppData\\Roaming\\Qyiceb\\asviohu.exe"	asviohu.exe

Suspicious use of WriteProcessMemory 109 IoCs

Processes:

iceix_1.2.5.0.vir.exeiceix_1.2.5.0.vir.execmd.exeasviohu.exeasviohu.exeMBAXG.exe

description	pid	process	target process
PID 1140 wrote to memory of 1328	1140	iceix_1.2.5.0.vir.exe	MBAXG.exe
PID 1140 wrote to memory of 1328	1140	iceix_1.2.5.0.vir.exe	MBAXG.exe
PID 1140 wrote to memory of 1328	1140	iceix_1.2.5.0.vir.exe	MBAXG.exe
PID 1140 wrote to memory of 1328	1140	iceix_1.2.5.0.vir.exe	MBAXG.exe
PID 1140 wrote to memory of 1420	1140	iceix_1.2.5.0.vir.exe	iceix_1.2.5.0.vir.exe
PID 1140 wrote to memory of 1420	1140	iceix_1.2.5.0.vir.exe	iceix_1.2.5.0.vir.exe
PID 1140 wrote to memory of 1420	1140	iceix_1.2.5.0.vir.exe	iceix_1.2.5.0.vir.exe
PID 1140 wrote to memory of 1420	1140	iceix_1.2.5.0.vir.exe	iceix_1.2.5.0.vir.exe
PID 1140 wrote to memory of 1420	1140	iceix_1.2.5.0.vir.exe	iceix_1.2.5.0.vir.exe
PID 1140 wrote to memory of 1420	1140	iceix_1.2.5.0.vir.exe	iceix_1.2.5.0.vir.exe
PID 1420 wrote to memory of 1600	1420	iceix_1.2.5.0.vir.exe	cmd.exe
PID 1420 wrote to memory of 1600	1420	iceix_1.2.5.0.vir.exe	cmd.exe
PID 1420 wrote to memory of 1600	1420	iceix_1.2.5.0.vir.exe	cmd.exe
PID 1420 wrote to memory of 1600	1420	iceix_1.2.5.0.vir.exe	cmd.exe
PID 1420 wrote to memory of 304	1420	iceix_1.2.5.0.vir.exe	asviohu.exe
PID 1420 wrote to memory of 304	1420	iceix_1.2.5.0.vir.exe	asviohu.exe
PID 1420 wrote to memory of 304	1420	iceix_1.2.5.0.vir.exe	asviohu.exe
PID 1420 wrote to memory of 304	1420	iceix_1.2.5.0.vir.exe	asviohu.exe
PID 1600 wrote to memory of 640	1600	cmd.exe	netsh.exe
PID 1600 wrote to memory of 640	1600	cmd.exe	netsh.exe
PID 1600 wrote to memory of 640	1600	cmd.exe	netsh.exe
PID 1600 wrote to memory of 640	1600	cmd.exe	netsh.exe
PID 304 wrote to memory of 1528	304	asviohu.exe	MBAXG.exe
PID 304 wrote to memory of 1528	304	asviohu.exe	MBAXG.exe
PID 304 wrote to memory of 1528	304	asviohu.exe	MBAXG.exe
PID 304 wrote to memory of 1528	304	asviohu.exe	MBAXG.exe
PID 304 wrote to memory of 1724	304	asviohu.exe	asviohu.exe
PID 304 wrote to memory of 1724	304	asviohu.exe	asviohu.exe
PID 304 wrote to memory of 1724	304	asviohu.exe	asviohu.exe
PID 304 wrote to memory of 1724	304	asviohu.exe	asviohu.exe
PID 304 wrote to memory of 1724	304	asviohu.exe	asviohu.exe
PID 304 wrote to memory of 1724	304	asviohu.exe	asviohu.exe
PID 1420 wrote to memory of 1852	1420	iceix_1.2.5.0.vir.exe	cmd.exe
PID 1420 wrote to memory of 1852	1420	iceix_1.2.5.0.vir.exe	cmd.exe
PID 1420 wrote to memory of 1852	1420	iceix_1.2.5.0.vir.exe	cmd.exe
PID 1420 wrote to memory of 1852	1420	iceix_1.2.5.0.vir.exe	cmd.exe
PID 1724 wrote to memory of 1148	1724	asviohu.exe	taskhost.exe
PID 1724 wrote to memory of 1148	1724	asviohu.exe	taskhost.exe
PID 1724 wrote to memory of 1148	1724	asviohu.exe	taskhost.exe
PID 1724 wrote to memory of 1148	1724	asviohu.exe	taskhost.exe
PID 1724 wrote to memory of 1148	1724	asviohu.exe	taskhost.exe
PID 1724 wrote to memory of 1264	1724	asviohu.exe	Dwm.exe
PID 1724 wrote to memory of 1264	1724	asviohu.exe	Dwm.exe
PID 1724 wrote to memory of 1264	1724	asviohu.exe	Dwm.exe
PID 1724 wrote to memory of 1264	1724	asviohu.exe	Dwm.exe
PID 1724 wrote to memory of 1264	1724	asviohu.exe	Dwm.exe
PID 1724 wrote to memory of 1308	1724	asviohu.exe	Explorer.EXE
PID 1724 wrote to memory of 1308	1724	asviohu.exe	Explorer.EXE
PID 1724 wrote to memory of 1308	1724	asviohu.exe	Explorer.EXE
PID 1724 wrote to memory of 1308	1724	asviohu.exe	Explorer.EXE
PID 1724 wrote to memory of 1308	1724	asviohu.exe	Explorer.EXE
PID 1724 wrote to memory of 1328	1724	asviohu.exe	MBAXG.exe
PID 1724 wrote to memory of 1328	1724	asviohu.exe	MBAXG.exe
PID 1724 wrote to memory of 1328	1724	asviohu.exe	MBAXG.exe
PID 1724 wrote to memory of 1328	1724	asviohu.exe	MBAXG.exe
PID 1724 wrote to memory of 1328	1724	asviohu.exe	MBAXG.exe
PID 1328 wrote to memory of 1888	1328	MBAXG.exe	cmd.exe
PID 1328 wrote to memory of 1888	1328	MBAXG.exe	cmd.exe
PID 1328 wrote to memory of 1888	1328	MBAXG.exe	cmd.exe
PID 1328 wrote to memory of 1888	1328	MBAXG.exe	cmd.exe
PID 1328 wrote to memory of 1888	1328	MBAXG.exe	cmd.exe
PID 1328 wrote to memory of 1888	1328	MBAXG.exe	cmd.exe
PID 1328 wrote to memory of 1888	1328	MBAXG.exe	cmd.exe
PID 1328 wrote to memory of 1888	1328	MBAXG.exe	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1540 WinMail.exe
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

pid	process
1540	WinMail.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0F5C13E9-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

asviohu.exe

pid	process
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe
1724	asviohu.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1852 cmd.exe

pid	process
1852	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

MBAXG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy	MBAXG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	MBAXG.exe

Executes dropped EXE 4 IoCs

Processes:

MBAXG.exeasviohu.exeMBAXG.exeasviohu.exe

pid process

1328 MBAXG.exe
304 asviohu.exe
1528 MBAXG.exe
1724 asviohu.exe

pid	process
1328	MBAXG.exe
304	asviohu.exe
1528	MBAXG.exe
1724	asviohu.exe

Suspicious use of AdjustPrivilegeToken 72 IoCs

Processes:

iceix_1.2.5.0.vir.exeMBAXG.exeMBAXG.exe

description	pid	process
Token: SeSecurityPrivilege	1420	iceix_1.2.5.0.vir.exe
Token: SeImpersonatePrivilege	1328	MBAXG.exe
Token: SeTcbPrivilege	1328	MBAXG.exe
Token: SeChangeNotifyPrivilege	1328	MBAXG.exe
Token: SeCreateTokenPrivilege	1328	MBAXG.exe
Token: SeBackupPrivilege	1328	MBAXG.exe
Token: SeRestorePrivilege	1328	MBAXG.exe
Token: SeIncreaseQuotaPrivilege	1328	MBAXG.exe
Token: SeAssignPrimaryTokenPrivilege	1328	MBAXG.exe
Token: SeImpersonatePrivilege	1528	MBAXG.exe
Token: SeTcbPrivilege	1528	MBAXG.exe
Token: SeChangeNotifyPrivilege	1528	MBAXG.exe
Token: SeCreateTokenPrivilege	1528	MBAXG.exe
Token: SeBackupPrivilege	1528	MBAXG.exe
Token: SeRestorePrivilege	1528	MBAXG.exe
Token: SeIncreaseQuotaPrivilege	1528	MBAXG.exe
Token: SeAssignPrimaryTokenPrivilege	1528	MBAXG.exe
Token: SeSecurityPrivilege	1328	MBAXG.exe
Token: SeSecurityPrivilege	1328	MBAXG.exe
Token: SeImpersonatePrivilege	1528	MBAXG.exe
Token: SeTcbPrivilege	1528	MBAXG.exe
Token: SeChangeNotifyPrivilege	1528	MBAXG.exe
Token: SeCreateTokenPrivilege	1528	MBAXG.exe
Token: SeBackupPrivilege	1528	MBAXG.exe
Token: SeRestorePrivilege	1528	MBAXG.exe
Token: SeIncreaseQuotaPrivilege	1528	MBAXG.exe
Token: SeAssignPrimaryTokenPrivilege	1528	MBAXG.exe
Token: SeImpersonatePrivilege	1328	MBAXG.exe
Token: SeTcbPrivilege	1328	MBAXG.exe
Token: SeChangeNotifyPrivilege	1328	MBAXG.exe
Token: SeCreateTokenPrivilege	1328	MBAXG.exe
Token: SeBackupPrivilege	1328	MBAXG.exe
Token: SeRestorePrivilege	1328	MBAXG.exe
Token: SeIncreaseQuotaPrivilege	1328	MBAXG.exe
Token: SeAssignPrimaryTokenPrivilege	1328	MBAXG.exe
Token: SeImpersonatePrivilege	1328	MBAXG.exe
Token: SeTcbPrivilege	1328	MBAXG.exe
Token: SeChangeNotifyPrivilege	1328	MBAXG.exe
Token: SeCreateTokenPrivilege	1328	MBAXG.exe
Token: SeBackupPrivilege	1328	MBAXG.exe
Token: SeRestorePrivilege	1328	MBAXG.exe
Token: SeIncreaseQuotaPrivilege	1328	MBAXG.exe
Token: SeAssignPrimaryTokenPrivilege	1328	MBAXG.exe
Token: SeImpersonatePrivilege	1328	MBAXG.exe
Token: SeTcbPrivilege	1328	MBAXG.exe
Token: SeChangeNotifyPrivilege	1328	MBAXG.exe
Token: SeCreateTokenPrivilege	1328	MBAXG.exe
Token: SeBackupPrivilege	1328	MBAXG.exe
Token: SeRestorePrivilege	1328	MBAXG.exe
Token: SeIncreaseQuotaPrivilege	1328	MBAXG.exe
Token: SeAssignPrimaryTokenPrivilege	1328	MBAXG.exe
Token: SeImpersonatePrivilege	1528	MBAXG.exe
Token: SeTcbPrivilege	1528	MBAXG.exe
Token: SeChangeNotifyPrivilege	1528	MBAXG.exe
Token: SeCreateTokenPrivilege	1528	MBAXG.exe
Token: SeBackupPrivilege	1528	MBAXG.exe
Token: SeRestorePrivilege	1528	MBAXG.exe
Token: SeIncreaseQuotaPrivilege	1528	MBAXG.exe
Token: SeAssignPrimaryTokenPrivilege	1528	MBAXG.exe
Token: SeImpersonatePrivilege	1528	MBAXG.exe
Token: SeTcbPrivilege	1528	MBAXG.exe
Token: SeChangeNotifyPrivilege	1528	MBAXG.exe
Token: SeCreateTokenPrivilege	1528	MBAXG.exe
Token: SeBackupPrivilege	1528	MBAXG.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1148

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1264

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\iceix_1.2.5.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\iceix_1.2.5.0.vir.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\MBAXG.exe
"C:\Users\Admin\AppData\Local\Temp\MBAXG.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\74724.bat" "C:\Users\Admin\AppData\Local\Temp\MBAXG.exe" "
4⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\iceix_1.2.5.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\iceix_1.2.5.0.vir.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4c1f8b0e.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe"
5⤵
- Modifies service
PID:640

C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe
"C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe"
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:304

C:\Users\Admin\AppData\Local\Temp\MBAXG.exe
"C:\Users\Admin\AppData\Local\Temp\MBAXG.exe"
5⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\75114.bat" "C:\Users\Admin\AppData\Local\Temp\MBAXG.exe" "
6⤵
PID:1956

C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe
"C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe"
5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfc65a84c.bat"
4⤵
- Deletes itself
PID:1852

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1868

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- NTFS ADS
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19798759631075434944-15418545151504883715-188750250113054051191873933435-57240694"
1⤵
PID:1900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-237386827-1661159246-1444523898-5403431271605636964297507131005161905-1809778242"
1⤵
PID:1948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74724.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\75114.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBAXG.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBAXG.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBAXG.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4c1f8b0e.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfc65a84c.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Fiotby\kuehpor.dav

Download Submit
C:\Users\Admin\AppData\Roaming\Fiotby\kuehpor.dav

Download Submit
C:\Users\Admin\AppData\Roaming\Fiotby\kuehpor.dav

Download Submit
C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe

Download Submit
\Users\Admin\AppData\Local\Temp\MBAXG.exe

Download Submit
\Users\Admin\AppData\Local\Temp\MBAXG.exe

Download Submit
\Users\Admin\AppData\Local\Temp\MBAXG.exe

Download Submit
\Users\Admin\AppData\Local\Temp\MBAXG.exe

Download Submit
\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe

Download Submit
\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe

Download Submit
memory/304-10-0x0000000000000000-mapping.dmp

Download
memory/640-13-0x0000000000000000-mapping.dmp

Download
memory/1328-25-0x0000000000000000-mapping.dmp

Download
memory/1328-2-0x0000000000000000-mapping.dmp

Download
memory/1420-5-0x000000000040E0F1-mapping.dmp

Download
memory/1420-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1420-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1528-32-0x0000000000000000-mapping.dmp

Download
memory/1528-17-0x0000000000000000-mapping.dmp

Download
memory/1540-46-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/1540-31-0x0000000003880000-0x0000000003A80000-memory.dmp

Filesize
2.0MB

Download
memory/1540-29-0x0000000003880000-0x0000000003980000-memory.dmp

Filesize
1024KB

Download
memory/1540-45-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/1540-37-0x0000000003880000-0x0000000003980000-memory.dmp

Filesize
1024KB

Download
memory/1540-47-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1540-41-0x0000000003980000-0x0000000003A80000-memory.dmp

Filesize
1024KB

Download
memory/1540-39-0x0000000003880000-0x0000000003A80000-memory.dmp

Filesize
2.0MB

Download
memory/1600-7-0x0000000000000000-mapping.dmp

Download
memory/1724-21-0x000000000040E0F1-mapping.dmp

Download
memory/1852-24-0x0000000000000000-mapping.dmp

Download
memory/1888-28-0x000000000005DD63-mapping.dmp

Download
memory/1888-27-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1956-36-0x000000000005DD63-mapping.dmp

Download
memory/1956-35-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads