pony | de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84

General

Target

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
Size

227KB
MD5

048a199311fab7f94c4875efa1dbd7ae
SHA1

c12904c11f04a09dea4fe96f4f7bfbab0fb69599
SHA256

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84
SHA512

7888f1b5d7a2fbcf61f1f0430f8420271d58327b92861a1ec01a86b57cec0f05fc81385d7a1998d93f780ace94f38ba3812e0faa88cdd2f215e9206b899ed7b9
SSDEEP

3072:ghMU1v4n8NTCNlMNG7rgRyD2TLimejD22u/lbtlRkE82hQP67V98KLd:ghMgt622ob6nuZ

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://www.frankyzulike.org.in/ambrose/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 3 IoCs

Processes:

dhcpsv.exeddphost.exedhcpsv.exe

pid process

228 dhcpsv.exe
1060 ddphost.exe
4552 dhcpsv.exe

pid	process
228	dhcpsv.exe
1060	ddphost.exe
4552	dhcpsv.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exedhcpsv.exeddphost.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dhcpsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ddphost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exeddphost.exe

description	pid	process	target process
PID 1428 set thread context of 4692	1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 1060 set thread context of 2812	1060	ddphost.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exedhcpsv.exeddphost.exedhcpsv.exe

pid	process
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
228	dhcpsv.exe
228	dhcpsv.exe
228	dhcpsv.exe
228	dhcpsv.exe
228	dhcpsv.exe
228	dhcpsv.exe
228	dhcpsv.exe
1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
228	dhcpsv.exe
1060	ddphost.exe
4552	dhcpsv.exe
1060	ddphost.exe
4552	dhcpsv.exe
1060	ddphost.exe
4552	dhcpsv.exe
1060	ddphost.exe
4552	dhcpsv.exe
1060	ddphost.exe
4552	dhcpsv.exe
1060	ddphost.exe
4552	dhcpsv.exe
1060	ddphost.exe
4552	dhcpsv.exe
1060	ddphost.exe
4552	dhcpsv.exe
1060	ddphost.exe
4552	dhcpsv.exe
1060	ddphost.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exedhcpsv.exeddphost.exedhcpsv.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
Token: SeDebugPrivilege	228	dhcpsv.exe
Token: SeDebugPrivilege	1060	ddphost.exe
Token: SeDebugPrivilege	4552	dhcpsv.exe
Token: SeImpersonatePrivilege	2812	RegAsm.exe
Token: SeTcbPrivilege	2812	RegAsm.exe
Token: SeChangeNotifyPrivilege	2812	RegAsm.exe
Token: SeCreateTokenPrivilege	2812	RegAsm.exe
Token: SeBackupPrivilege	2812	RegAsm.exe
Token: SeRestorePrivilege	2812	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	2812	RegAsm.exe
Token: SeAssignPrimaryTokenPrivilege	2812	RegAsm.exe
Token: SeImpersonatePrivilege	2812	RegAsm.exe
Token: SeTcbPrivilege	2812	RegAsm.exe
Token: SeChangeNotifyPrivilege	2812	RegAsm.exe
Token: SeCreateTokenPrivilege	2812	RegAsm.exe
Token: SeBackupPrivilege	2812	RegAsm.exe
Token: SeRestorePrivilege	2812	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	2812	RegAsm.exe
Token: SeAssignPrimaryTokenPrivilege	2812	RegAsm.exe
Token: SeImpersonatePrivilege	2812	RegAsm.exe
Token: SeTcbPrivilege	2812	RegAsm.exe
Token: SeChangeNotifyPrivilege	2812	RegAsm.exe
Token: SeCreateTokenPrivilege	2812	RegAsm.exe
Token: SeBackupPrivilege	2812	RegAsm.exe
Token: SeRestorePrivilege	2812	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	2812	RegAsm.exe
Token: SeAssignPrimaryTokenPrivilege	2812	RegAsm.exe
Token: SeImpersonatePrivilege	2812	RegAsm.exe
Token: SeTcbPrivilege	2812	RegAsm.exe
Token: SeChangeNotifyPrivilege	2812	RegAsm.exe
Token: SeCreateTokenPrivilege	2812	RegAsm.exe
Token: SeBackupPrivilege	2812	RegAsm.exe
Token: SeRestorePrivilege	2812	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	2812	RegAsm.exe
Token: SeAssignPrimaryTokenPrivilege	2812	RegAsm.exe
Token: SeImpersonatePrivilege	2812	RegAsm.exe
Token: SeTcbPrivilege	2812	RegAsm.exe
Token: SeChangeNotifyPrivilege	2812	RegAsm.exe
Token: SeCreateTokenPrivilege	2812	RegAsm.exe
Token: SeBackupPrivilege	2812	RegAsm.exe
Token: SeRestorePrivilege	2812	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	2812	RegAsm.exe
Token: SeAssignPrimaryTokenPrivilege	2812	RegAsm.exe
Token: SeImpersonatePrivilege	2812	RegAsm.exe
Token: SeTcbPrivilege	2812	RegAsm.exe
Token: SeChangeNotifyPrivilege	2812	RegAsm.exe
Token: SeCreateTokenPrivilege	2812	RegAsm.exe
Token: SeBackupPrivilege	2812	RegAsm.exe
Token: SeRestorePrivilege	2812	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	2812	RegAsm.exe
Token: SeAssignPrimaryTokenPrivilege	2812	RegAsm.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exedhcpsv.exeddphost.exeRegAsm.exe

description	pid	process	target process
PID 1428 wrote to memory of 4692	1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 1428 wrote to memory of 4692	1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 1428 wrote to memory of 4692	1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 1428 wrote to memory of 4692	1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 1428 wrote to memory of 4692	1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 1428 wrote to memory of 4692	1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 1428 wrote to memory of 4692	1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 1428 wrote to memory of 4692	1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 1428 wrote to memory of 228	1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	dhcpsv.exe
PID 1428 wrote to memory of 228	1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	dhcpsv.exe
PID 1428 wrote to memory of 228	1428	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	dhcpsv.exe
PID 228 wrote to memory of 1060	228	dhcpsv.exe	ddphost.exe
PID 228 wrote to memory of 1060	228	dhcpsv.exe	ddphost.exe
PID 228 wrote to memory of 1060	228	dhcpsv.exe	ddphost.exe
PID 1060 wrote to memory of 2812	1060	ddphost.exe	RegAsm.exe
PID 1060 wrote to memory of 2812	1060	ddphost.exe	RegAsm.exe
PID 1060 wrote to memory of 2812	1060	ddphost.exe	RegAsm.exe
PID 1060 wrote to memory of 2812	1060	ddphost.exe	RegAsm.exe
PID 1060 wrote to memory of 2812	1060	ddphost.exe	RegAsm.exe
PID 1060 wrote to memory of 2812	1060	ddphost.exe	RegAsm.exe
PID 1060 wrote to memory of 2812	1060	ddphost.exe	RegAsm.exe
PID 1060 wrote to memory of 2812	1060	ddphost.exe	RegAsm.exe
PID 1060 wrote to memory of 4552	1060	ddphost.exe	dhcpsv.exe
PID 1060 wrote to memory of 4552	1060	ddphost.exe	dhcpsv.exe
PID 1060 wrote to memory of 4552	1060	ddphost.exe	dhcpsv.exe
PID 2812 wrote to memory of 4352	2812	RegAsm.exe	cmd.exe
PID 2812 wrote to memory of 4352	2812	RegAsm.exe	cmd.exe
PID 2812 wrote to memory of 4352	2812	RegAsm.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
"C:\Users\Admin\AppData\Local\Temp\de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:4692
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dhcpsv.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dhcpsv.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ddphost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ddphost.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      outlook_win_path
      PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240616890.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "
        5⤵
        
        PID:4352
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dhcpsv.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dhcpsv.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpsv.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\240616890.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ddphost.exe

Filesize
227KB

MD5
048a199311fab7f94c4875efa1dbd7ae

SHA1
c12904c11f04a09dea4fe96f4f7bfbab0fb69599

SHA256
de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84

SHA512
7888f1b5d7a2fbcf61f1f0430f8420271d58327b92861a1ec01a86b57cec0f05fc81385d7a1998d93f780ace94f38ba3812e0faa88cdd2f215e9206b899ed7b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ddphost.exe

Filesize
227KB

MD5
048a199311fab7f94c4875efa1dbd7ae

SHA1
c12904c11f04a09dea4fe96f4f7bfbab0fb69599

SHA256
de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84

SHA512
7888f1b5d7a2fbcf61f1f0430f8420271d58327b92861a1ec01a86b57cec0f05fc81385d7a1998d93f780ace94f38ba3812e0faa88cdd2f215e9206b899ed7b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dhcpsv.exe

Filesize
11KB

MD5
fc2e803e85d0c50ab6227dd79340f205

SHA1
122bf356ce10cb75d0a6b86ae921b9abc746487c

SHA256
6c8da53dd540f6ba029cf855d7f4e150e8fce2f43fe95e919e2205a299a1736b

SHA512
8e085f425478af443baa3d56770028ac6cd70c64e09123902f134771d5dea6bf7cb989ae83734eaa9aa43ac991e8b487376a2bcee5ed3dd3d429de10c4a19ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dhcpsv.exe

Filesize
11KB

MD5
fc2e803e85d0c50ab6227dd79340f205

SHA1
122bf356ce10cb75d0a6b86ae921b9abc746487c

SHA256
6c8da53dd540f6ba029cf855d7f4e150e8fce2f43fe95e919e2205a299a1736b

SHA512
8e085f425478af443baa3d56770028ac6cd70c64e09123902f134771d5dea6bf7cb989ae83734eaa9aa43ac991e8b487376a2bcee5ed3dd3d429de10c4a19ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dhcpsv.exe

Filesize
11KB

MD5
fc2e803e85d0c50ab6227dd79340f205

SHA1
122bf356ce10cb75d0a6b86ae921b9abc746487c

SHA256
6c8da53dd540f6ba029cf855d7f4e150e8fce2f43fe95e919e2205a299a1736b

SHA512
8e085f425478af443baa3d56770028ac6cd70c64e09123902f134771d5dea6bf7cb989ae83734eaa9aa43ac991e8b487376a2bcee5ed3dd3d429de10c4a19ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dhcpsv.exe

Filesize
11KB

MD5
fc2e803e85d0c50ab6227dd79340f205

SHA1
122bf356ce10cb75d0a6b86ae921b9abc746487c

SHA256
6c8da53dd540f6ba029cf855d7f4e150e8fce2f43fe95e919e2205a299a1736b

SHA512
8e085f425478af443baa3d56770028ac6cd70c64e09123902f134771d5dea6bf7cb989ae83734eaa9aa43ac991e8b487376a2bcee5ed3dd3d429de10c4a19ea9

Download Submit
memory/228-137-0x0000000000000000-mapping.dmp

Download
memory/228-144-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/228-146-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/1060-141-0x0000000000000000-mapping.dmp

Download
memory/1060-159-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/1060-145-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/1428-143-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/1428-147-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/1428-132-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-148-0x0000000000000000-mapping.dmp

Download
memory/2812-155-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2812-158-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2812-161-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2812-163-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4352-162-0x0000000000000000-mapping.dmp

Download
memory/4552-150-0x0000000000000000-mapping.dmp

Download
memory/4552-157-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4552-160-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4692-135-0x0000000000700000-0x0000000000719000-memory.dmp

Filesize
100KB

Download
memory/4692-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads